b"SEC\xe2\x80\x99s Records Management\nPractices\n\n\n\n\n                           September 30, 2012\n                               Report No. 505\n\x0cSEC\xe2\x80\x99s Records Management Practices             September 30, 2012\nReport No. 505\n\n                                     Page ii\n\x0cSEC\xe2\x80\x99s Records Management Practices\n\n                                Executive Summary\nBackground. SEC\xe2\x80\x99s records include confidential treatment requests files,\ncorrespondence, investigation records, matters under inquiry records, transcripts,\nworking papers, consumer complaint files, Congressional and Chairman files,\nadministrative proceedings files, self-regulatory files, bankruptcy files, effective\norders, etc.\n\nOn November 28, 2011, a presidential memorandum was issued on managing\ngovernment records. This memorandum emphasized the importance of having\nwell-managed records management program that includes reducing redundant\nefforts, minimizing costs and sharing institutional knowledge within and across\norganizations. Further, the memorandum states that \xe2\x80\x9cproper records\nmanagement is the backbone of open Government.\xe2\x80\x9d1\n\nThe Office of Records Management Services (ORMS) is responsible for\ncoordinating, overseeing and implementing the U.S. Securities and Exchange\nCommission\xe2\x80\x99s (SEC or Commission) records management program at its\nHeadquarters, Operations Center, and 11 Regional Office locations.2 ORMS and\nthe Office of Security Services (OSS) are direct reporting units to the Office of\nSupport Operations (OSO). OSS has oversight of the SEC\xe2\x80\x99s vital records\nprogram.\n\nORMS oversees the SEC\xe2\x80\x99s overall records management program through points-\nof-contacts (POC) in most offices and divisions. The POCs provide oversight of\ntheir individual records management program and practices.3 ORMS\xe2\x80\x99\nresponsibilities include \xe2\x80\x9cproviding reference services for Commission staffers,\nother Federal, state and local entities and members of the public that are\nessential in assisting the SEC in achieving its mission.\xe2\x80\x9d4 Additionally, the office\n\xe2\x80\x9ccoordinates with the Commission\xe2\x80\x99s Office of Investor Education and Advocacy\nand Public Reference Room for records reference requests from the public.\xe2\x80\x9d5\nFurther, ORMS assists the Office of Freedom of Information Act (FOIA) Services,\nin responding to requests for nonpublic records under FOIA. SEC staff can find\nanswers to questions on \xe2\x80\x9cHow to Request Records\xe2\x80\x9d and \xe2\x80\x9cFrequently Asked\nQuestions About Records\xe2\x80\x9d on the SEC Intranet.\n\n1\n  Presidential Memorandum \xe2\x80\x93 Managing Government Records, (Nov. 28, 2011), p.1.\n2\n  SEC\xe2\x80\x99s headquarters and regional offices are comprised of 36 offices and divisions that are headed by\nDirectors. SEC also has the Chairman\xe2\x80\x99s office and 4 Commissioners\xe2\x80\x99 offices.\n3\n  POCs are mainly comprised of administrative officers and business managers. Other serving in this role\ninclude assistant directors and personnel with various other titles.\n4\n  ORMS, Standard Operating Policy 2.1, Requestors, p.1.\n5\n  Id.\nSEC\xe2\x80\x99s Records Management Practices                                                  September 30, 2012\nReport No. 505\n\n                                                Page iii\n\x0cObjectives. The objectives of our audit were to examine whether ORMS:\n\n   \xef\x82\xb7   established a viable records management program that ensures\n       permanent SEC records are appropriately maintained and\n       preserved in accordance with applicable Federal statutes and\n       regulations; and\n   \xef\x82\xb7   adhered to applicable Federal statutes and regulations regarding\n       the retention, disposal, transfer, and recovery of SEC records.\n\nWhere appropriate OIG identified best practices.\n\nResults. The SEC does not have an active staff assistance program and\nperiodic agency-wide staff assistance visits were not conducted by ORMS or its\npredecessors. Although ORMS provided assistance to SEC offices and divisions\nto identify their records and has scheduled records for disposition, it has not\nconducted staff assistance visits of all 36 SEC offices and divisions. Therefore,\nconfusion exists among POCs regarding their records management\nresponsibilities.\n\nIn addition, our audit revealed that although ORMS readily answered agency\nstaff questions about records matters, provided basic records management\ntraining during SEC\xe2\x80\x99s new employee orientation, and provided training to staff in\nthe Regional Offices, the office did not provide records management training to\nstaff agency-wide. OIG determined that this has caused confusion among\nemployees.\n\nOur review of a sample number of records requests found that some staff in\nORMS did not follow the office\xe2\x80\x99s standard operating policy in processing requests\nand several requests were not completed in ORMS\xe2\x80\x99 goal of seven business days\ngoal for non-urgent records requests.\n\nWe also identified offices that did not have records retention schedules and other\noffices whose records retention schedules were outdated. Additionally, we found\noffices ORMS had not met with to determine if they had records.\n\nOIG determined that many offices and divisions do not have proper records\nmanagement procedures and ensure that active records are properly and\neconomically maintained, and used on a regular basis. Further, we found that\ninactive records are not regularly disposed.\n\nSeveral POCs informed OIG they do not know when their records should be\ndisposed of and they do not dispose of records annually. Additionally, until\nrecently, ORMS had not reviewed the contents of 256 boxes their contractor\nidentified in a report that was issued to ORMS in November 2010. ORMS\n\n\nSEC\xe2\x80\x99s Records Management Practices                               September 30, 2012\nReport No. 505\n\n                                     Page iv\n\x0cinformed OIG that it has now reviewed 98 of the boxes and they are coordinating\nwith the Federal Records Center (FRC) to review the remaining boxes.\n\nOur audit also found that ORMS has not performed a timely review of\nCommission records that are eligible for destruction. Thus, a backlog exists that\nrepresents approximately 10 years of records that are eligible for destruction, but\nhave not been destroyed. Although ORMS maintains hard copies of disposal\nforms the FRC provides for their review, approval, and destruction for records,\nthe office does not maintain a list of the Commission records the FRC has\nidentified as eligible for destruction.\n\nFurther, we determined that some offices and divisions do not have records\nmanagement POCs. We also found that SEC\xe2\x80\x99s records management directives\ndo not require offices or divisions to have records management POCs. As a\nresult, some SEC employees do not understand their records management\nresponsibilities. Also, the Federal regulations and SEC policies covering records\nmanagement are not being followed properly.\n\nOSS has oversight of the SEC\xe2\x80\x99s vital records program and is working with ORMS\nto evaluate the program. Thus, OSS has not defined the SEC\xe2\x80\x99s vital records and\ndid not review or update the agency\xe2\x80\x99s vital records at least annually. As a result,\nSEC\xe2\x80\x99s listing of vital records is incomplete and outdated. Further, the SEC has\nnot definitively established how it will protect and retrieve vital records in an\nemergency situation. Due to changes in responsibilities for vital records\nmanagement, confusion exists regarding the SEC\xe2\x80\x99s compliance with the National\nArchives and Records Administration\xe2\x80\x99s (NARA) guidance on vital records.\nConsequently, the SEC did not comply with certain vital records management\nregulations.\n\nLastly, our audit found that the SEC\xe2\x80\x99s records management administrative\nregulations and vital records handbook are outdated. The administrative\nregulations contain terminology, processes and forms that are no longer current\nand the Vital Records Handbook includes a form the SEC has never used.\n\nSummary of Recommendations. This report contains 12 recommendations to\naid in ensuring SEC\xe2\x80\x99s records are properly managed and to strengthen the\nSEC\xe2\x80\x99s records management program. Based on the results of our audit, we\nrecommended that ORMS periodically conduct agency-wide staff assistance\nvisits of the SEC\xe2\x80\x99s records management programs in accordance with SECR 7-1,\nSecurities and Exchange Commission\xe2\x80\x99s Records Management Program. ORMS\nshould also develop a records management training program and offer training\nsessions on records management to all SEC employees. We also recommended\nthat ORMS develop more robust internal controls to provide oversight to its\nemployees in processing records requests. Further, we recommended that\nORMS work with offices and divisions agency-wide to ensure they have current\n\nSEC\xe2\x80\x99s Records Management Practices                                September 30, 2012\nReport No. 505\n\n                                      Page v\n\x0cand complete records retention schedules. ORMS should also establish records\nmanagement procedures that enable SEC offices and divisions to properly\nmanage their records in accordance with applicable Federal regulations and the\nSEC\xe2\x80\x99s administrative regulations.\n\nAdditionally, ORMS should develop a definitive plan and milestones to review the\nbacklog of records that are maintained at the FRC and determine how the\nrecords will be treated. We also recommended that ORMS develop an action\nplan to address the 10-year backlog of records the FRC has identified as being\neligible for destruction. ORMS should also require all offices and divisions to\ndesignate a POC for records management matters, then periodically verify the\nlisting. We further recommended that OSS, in coordination with ORMS, develop\na vital records program that includes processes and procedures, and establish\nand maintain the SEC\xe2\x80\x99s vital records in accordance with applicable Federal\nregulations and NARA\xe2\x80\x99s guidance on vital records management.\n\nWe also recommended ORMS update its administrative regulations covering\nrecords management and train SEC employees on the new regulations. Lastly,\nOSS and ORMS should coordinate reviewing SEC\xe2\x80\x99s Vital Records Handbook\nand determine if it will be revised or rescinded.\n\nManagement\xe2\x80\x99s Response to the Report\xe2\x80\x99s Recommendations. OIG provided\nOSO with the formal draft report on September 21, 2012. OSO concurred with\nall 12 of the report\xe2\x80\x99s recommendations. OIG considers the report\xe2\x80\x99s\nrecommendations resolved. However, each recommendation will remain open\nuntil documentation is provided to us that supports the recommendation has\nbeen fully implemented.\n\nOSO\xe2\x80\x99s responses to each recommendation and OIG\xe2\x80\x99s analysis of the responses\nare presented after each recommendation in the body of this report. OIG\xe2\x80\x99s\nresponse to OSO\xe2\x80\x99s overall comments to the report is included in Appendix VIII.\n\n\n\n\nSEC\xe2\x80\x99s Records Management Practices                             September 30, 2012\nReport No. 505\n\n                                     Page vi\n\x0cTABLE OF CONTENTS\nExecutive Summary ....................................................................................................iii\n\nTable of Contents ......................................................................................................vii\n\nBackground and Objectives .................................................................................. 1\n     Background ....................................................................................................... 1\n     Objectives .......................................................................................................... 4\n\nFindings and Recommendations ......................................................................... 5\n     Finding 1: Agency-Wide Staff Assistance Visits of SEC Records\n     Management Programs Were Not Periodically Conducted ................................ 5\n                  Recommendation 1 ....................................................................... 7\n\n         Finding 2: Records Management Training Was Not Provided to All SEC\n         Staff on Their Responsibilities ............................................................................ 7\n                       Recommendation 2 ....................................................................... 9\n\n         Finding 3: Some Records Requests Processing Did Not Align with ORMS\xe2\x80\x99\n         Established Business Goals and Records Requests Were Not Completed\n         in Accordance with the SOP............................................................................... 9\n                      Recommendation 3..................................................................... 12\n\n         Finding 4: Some SEC Offices or Divisions Do Not Have Records\n         Retention Schedules and Others Should Be Updated ..................................... 13\n                      Recommendation 4..................................................................... 15\n\n         Finding 5: Some SEC Offices and Divisions Did Not Review Their Records\n         Retention Schedules and Dispose of Records in Accordance with Their\n         Schedules ........................................................................................................ 16\n                       Recommendation 5..................................................................... 18\n                       Recommendation 6..................................................................... 18\n                       Recommendation 7..................................................................... 19\n\n         Finding 6: The Backlog of Records Being Maintained at FRC Were Not\n         Reviewed ......................................................................................................... 19\n                       Recommendation 8..................................................................... 20\n\n         Finding 7: Records Management Points-of-Contact Have Not Been\n         Identified for All SEC Offices and Divisions ...................................................... 21\n                        Recommendation 9..................................................................... 23\n\n\n\nSEC\xe2\x80\x99s Records Management Practices                                                           September 30, 2012\nReport No. 505\n\n                                                    Page vii\n\x0c         Finding 8: SEC\xe2\x80\x99s Vital Records Management Program Needs\n         Improvement .................................................................................................... 23\n                      Recommendation 10................................................................... 28\n                      Recommendation 11................................................................... 28\n\n         Finding 9: SEC\xe2\x80\x99s Records Management Administrative Regulations,\n         Retention Schedule, and Handbook Are Outdated ......................................... 29\n                      Recommendation 12................................................................... 31\n\nAppendices\n    Appendix I: Federal Agencies Records Management Responsibilities. ........... 32\n    Appendix II: Abbreviations................................................................................ 35\n    Appendix III: Scope and Methodology .............................................................. 36\n    Appendix IV: Criteria ........................................................................................ 39\n    Appendix V: List of Recommendations ............................................................ 41\n    Appendix VI: Definitions .................................................................................. 44\n    Appendix VII: Management Comments ............................................................ 46\n    Appendix VIII: OIG\xe2\x80\x99s Response to Management\xe2\x80\x99s Comments ......................... 50\n\nTables\n     Table 1: ORMS Approved Action Codes for Records Requests. ..................... 11\n     Table 2: Survey Results of SEC Offices and Divisions Vital Records\n     Listings ............................................................................................................. 24\n     Table 3: Survey Results of SEC Offices and Divisions Vital Records\n     Listings as Compared to the Vital Records in 2010 COOP Plan and the\n     Draft 2011 Listing. ............................................................................................ 26\n\n\n\n\nSEC\xe2\x80\x99s Records Management Practices                                                           September 30, 2012\nReport No. 505\n\n                                                     Page viii\n\x0c                    Background and Objectives\n\nBackground\nAgency records management programs must have effective controls over the\ncreation, maintenance, and use of records in the conduct of current business.\nFurther, agencies must cooperate with the Archivist and the Administrator of\nGeneral Services Administration in applying standards, procedures, and\ntechniques that are designed to improve the management of records, promote\nthe maintenance and security of records deemed appropriate for preservation,\nand facilitate the segregation and destruction of records of temporary value.6\n\nOn November 28, 2011, a presidential memorandum was issued on managing\ngovernment records. The memorandum emphasizes the importance of having\nwell-managed records management program such as reducing redundant efforts,\nminimizing costs and sharing institutional knowledge within and across\norganizations. Further, the memorandum states that \xe2\x80\x9cproper records\nmanagement is the backbone of open Government.\xe2\x80\x9d7\n\nThe Office of Records Management Services (ORMS) and the Office of Security\nServices (OSS) are direct reporting units to the Office of Support Operations\n(OSO). Previously, ORMS was part of the Office of FOIA, Records Management\nand Security. OSS has oversight of the SEC\xe2\x80\x99s vital records program.\n\nSince May 2007, ORMS has been led by an Archivist who is responsible for\ncoordinating, overseeing and implementing the U.S. Securities and Exchange\nCommission\xe2\x80\x99s (SEC or Commission) records management program at its\nHeadquarters, Operations Center, and 11 Regional Office locations.8 The office\nis comprised of two branches and has a records officer who provides assistance\nto ORMS\xe2\x80\x99 Archivist. Over the past few years ORMS has taken the following\nmeasures to improve the Commission\xe2\x80\x99s records management program:\n\n    \xef\x82\xb7   Developed relationships with records management points-of-\n        contact (POC) and/or employees in SEC offices and divisions;\n    \xef\x82\xb7   Adopted standard operating policy (SOP);\n    \xef\x82\xb7   Improved its records request completion time;\n\n\n\n\n6\n  36 C.F.R. \xc2\xa7 1220.30.\n7\n  Presidential Memorandum \xe2\x80\x93 Managing Government Records, (Nov. 28, 2011), p.1.\n8\n  SEC\xe2\x80\x99s headquarters and regional offices are comprised of 36 offices and divisions that are headed by\nDirectors. SEC also has the Chairman\xe2\x80\x99s office and 4 Commissioners\xe2\x80\x99 offices.\nSEC\xe2\x80\x99s Records Management Practices                                                   September 30, 2012\nReport No. 505\n\n                                                 Page 1\n\x0c    \xef\x82\xb7   Annually sends staff to National Archives and Records\n        Administration (NARA) records management training, as well as\n        other records management training;\n    \xef\x82\xb7   Provided basic records management training during SEC\xe2\x80\x99s new\n        employee orientation; and\n    \xef\x82\xb7   Since January 2012, ORMS has conducted assessments of five\n        Regional Offices\xe2\x80\x99 records management programs and provided\n        training to the staff.\n\nSEC\xe2\x80\x99s records include confidential treatment requests files, correspondence,\ninvestigation records, matters under inquiry records, transcripts, working papers,\nconsumer complaint files, Congressional and Chairman files, administrative\nproceedings files, self-regulatory files, bankruptcy files, effective orders, etc.\n\nThough ORMS oversees the SEC\xe2\x80\x99s overall records management program, most\noffices and divisions have POCs who provide oversight of their individual records\nmanagement program and practices.9 ORMS works with POCs to develop and\nobtain NARA\xe2\x80\x99s approval of records retention schedules for records they either\ncreate or receive from internal and external sources. With few exceptions the\noffices and divisions have records retention schedules that ORMS has reviewed\nand NARA has approved. ORMS maintains the Commission\xe2\x80\x99s overall records\nretention schedule that identifies each office\xe2\x80\x99s and division\xe2\x80\x99s individual records\nretention schedules.\n\nORMS\xe2\x80\x99 other responsibilities include \xe2\x80\x9cproviding reference services for\nCommission staffers, other Federal, state and local entities and members of the\npublic that are essential in assisting the SEC in achieving its mission.\xe2\x80\x9d10\nAdditionally, the office \xe2\x80\x9ccoordinates with the Commission\xe2\x80\x99s Office of Investor\nEducation and Advocacy and Public Reference Room for records reference\nrequests from the public.\xe2\x80\x9d11 Further, ORMS assists the Office of Freedom of\nInformation Act (FOIA) Services, in responding to requests for nonpublic records\nunder FOIA. SEC staff can find answers to questions on \xe2\x80\x9cHow to Request\nRecords\xe2\x80\x9d and \xe2\x80\x9cFrequently Asked Questions About Records\xe2\x80\x9d on the SEC Intranet,\nthe Commission\xe2\x80\x99s internal website.\n\nIn September 2010, ORMS hired a contractor to assess its requirements for an\nautomated Records Management System. As part of this process the contractor\nconducted an assessment of the SEC\xe2\x80\x99s overall records management program\nand identified areas of improvement. In November 2010, the contractor issued\nthe office a report that among other things, recommended ORMS establish\nworking groups or have meetings with record management POCs to enable the\n\n9\n  POCs are mainly comprised of administrative officers and business managers. Others serving in this role\ninclude assistant directors and personnel with various other titles.\n10\n   ORMS, Standard Operating Policy 2.1, Requestors, p.1.\n11\n   Id.\nSEC\xe2\x80\x99s Records Management Practices                                                  September 30, 2012\nReport No. 505\n\n                                                Page 2\n\x0cSEC to deliver timely and current records management guidance to its offices\nand divisions. Further, the report recommended ORMS provide training to SEC\nstaff and develop a communication plan that would \xe2\x80\x9cprovide a consistent means\nof information-sharing and ensure that all offices and staff members are receiving\ncurrent direction on records management issues.\xe2\x80\x9d Additionally, the report\nrecommended ORMS develop \xe2\x80\x9ca 3 to 5 year records management strategic and\nprogram operation plan.\xe2\x80\x9d Further, the report recommended ORMS \xe2\x80\x9cupdate its\nrecords management policies and directives.\xe2\x80\x9d12\n\nNational Archives and Records Administration. NARA defines records as \xe2\x80\x9call\nbooks, papers, maps, photographs, machine readable materials, or other\ndocumentary materials, regardless of physical form or characteristics, made or\nreceived by an agency of the United States government under Federal law or in\nconnection with the transaction of public business and preserved or appropriate\nfor preservation by that agency or its legitimate successor as evidence of the\norganization, functions, policies, decisions, procedures, operations, or other\nactivities of the government or because of the informational value of data in\nthem.\xe2\x80\x9d13\n\nFrom the Federal government\xe2\x80\x99s perspective, records management is the\n\xe2\x80\x9cplanning, controlling, directing, organizing, training, promoting, and other\nmanagerial activities involved in creating, maintaining, using and disposing of\nrecords, to achieve adequate and proper documentation of the policies and\ntransactions of the government, and effective and economical management of\nthe agency\xe2\x80\x99s operations.\xe2\x80\x9d14 The main tool to manage the disposition of records is\nrecords retention schedules.\n\nScheduled records represent Federal records whose final disposition has been\napproved by NARA. Scheduled records are identified in a records retention\nschedule and include both permanent and temporary records.15 Unscheduled\nrecords represent Federal records whose final disposition have not been\napproved by NARA, and are not based on the Standard Form (SF) 115, Request\nfor Records Disposition Authority. NARA requires that unscheduled records\nmust be treated as permanent records until it approves their final disposition.\n\nNARA\xe2\x80\x99s 2010 and 2011 Records Management Self-Assessment reports16 on the\nFederal government\xe2\x80\x99s records management programs found the SEC\xe2\x80\x99s records\nmanagement program scored a 38 in 2010 and a 93 in 2011. ORMS stated that\n\n\n12\n   T-White Parker Strategy & Management Consulting, SEC Records Management Policies and Business\nProcess Assessment, (Nov. 2010), pp. 23-25.\n13\n   44 U.S.C. \xc2\xa7 3301.\n14\n   44 U.S.C. \xc2\xa7 2901(2).\n15\n   Not all records are destroyed.\n16\n   The self-assessment reports scored federal agencies on their compliance with federal statue, including\nNARA guidance, on records management.\nSEC\xe2\x80\x99s Records Management Practices                                                   September 30, 2012\nReport No. 505\n\n                                                 Page 3\n\x0cthe SEC was considered a high risk agency in 2010, but is now considered a low\nrisk agency.\n\nOIG Survey. In December 2011, we administered a survey to designated POCs\nin offices and divisions regarding their records management program,\ncoordination with ORMS, training, etc. The purpose of the survey was to obtain\nan understanding of the offices and divisions records management practices and\nprocedures. The overall response rate to the survey was over 60 percent.\n\nObjectives. The objectives of our audit were to examine whether ORMS:\n\n   \xef\x82\xb7   established a viable records management program that ensures\n       permanent SEC records are appropriately maintained and\n       preserved in accordance with applicable Federal statutes and\n       regulations; and\n   \xef\x82\xb7   adhered to applicable Federal statutes and regulations regarding\n       the retention, disposal, transfer, and recovery of SEC records.\n\nWhere appropriate OIG also identified best practices.\n\nSpecific Federal agencies records management responsibilities are described in\nAppendix I of this report. Definitions for \xe2\x80\x9crecords\xe2\x80\x9d terminology are included in\nAppendix VI of this report.\n\n\n\n\nSEC\xe2\x80\x99s Records Management Practices                              September 30, 2012\nReport No. 505\n\n                                     Page 4\n\x0c            Findings and Recommendations\n\n\nFinding 1: Agency-Wide Staff Assistance Visits of\nSEC Records Management Programs Were Not\nPeriodically Conducted\n       ORMS and its predecessors did not periodically conduct\n       agency-wide staff assistance visits of SEC offices\xe2\x80\x99 and\n       divisions\xe2\x80\x99 records management programs.\n\nThe SEC does not have an active staff assistance program and there is no\nevidence that periodic staff assistance visits were conducted by ORMS or its\npredecessors on all SEC offices and divisions. Not carrying out these\nresponsibilities is inconsistent with the requirements in SECR 7-1, Securities and\nExchange Commission\xe2\x80\x99s Records Management Program, September 29, 1996\n(SECR 7-1).\n\nSECR 7-1 indicates the records officer should schedule and make staff\nassistance visits to each SEC office of record at least every 18 months. It further\nsays to ensure the efficient and economical creation, management and\ndisposition of records SEC-wide, the Records Officer will establish and operate\nan active and continuing staff assistance program. Also, SECR 7-1 states that\nstaff assistance visits should cover the records management program, electronic\nrecords and micrographic records, among other records management disciplines\nsuch as directives, forms, mail, etc.\n\nAssistance ORMS Provided to Offices and Divisions. Over the years ORMS\nhas continually provided assistance to SEC offices and divisions in identifying\ntheir records and scheduling records for disposition. NARA\xe2\x80\x99s guidance does not\nspecifically define formal evaluations and thus, ORMS\xe2\x80\x99 management considers\nthe assistance it provides to offices and divisions as formal evaluations. ORMS\nArchivist informed OIG that prior to January 2012, he was unable to regularly\nconduct the visits as required in SECR 7-1, due to staff shortages. He further\nstated there were other urgent issues the office\xe2\x80\x99s limited resources were focused\non when he assumed the position in May 2007, such as addressing the backlog\nof records that was in storage. He further told OIG that ORMS is generally aware\nof unique records management matters applicable to each SEC office and\ndivision. Since January 2012, ORMS has evaluated five Regional Offices\xe2\x80\x99\nrecords management programs and has plans to evaluate the remaining offices.\n\n\n\nSEC\xe2\x80\x99s Records Management Practices                                September 30, 2012\nReport No. 505\n\n                                      Page 5\n\x0cFeedback From SEC Records Management POCs. In addition to issuing a\nsurvey to the records management POCs, OIG met and conducted phone\ninterviews with them to garner information about their office\xe2\x80\x99s or division\xe2\x80\x99s\nrecords management program and responsibilities. When asked when was the\nlast time they reviewed their records retention schedules and disposed of\nrecords, 13 percent of POCs indicated they had not disposed of any records\nbecause they did not have a records retention schedule; did not have staffing\nresources to do so; or were not knowledgeable about their schedule. Forty\npercent stated their office had never disposed of any records. Another 40\npercent indicated they had worked at the SEC for two years or less and had not\ndisposed of any records. The latter POCs further indicated they did not know\nwhen their office had last disposed of records.\n\nIn interviews, two POCs informed OIG they had received new documents from\nexternal sources and had created new documents in late 2011. However, neither\nknew if documents were considered records and they had not consulted with\nORMS. As discussed in Finding 2 of this report, some POCs are unaware\nORMS is available to provide assistance with determining the disposition of\nrecords.\n\nNot disposing of records in accordance with the approved records retention\nschedule is inconsistent with 36 C.F.R. \xc2\xa7 1228.156 (f), which states that Federal\nagencies \xe2\x80\x9cmust ensure that disposable records, including restricted records\n(security classified or exempted from disclosure by statute, including the Privacy\nAct, or regulation), are destroyed in accordance with the requirements specified\nin 36 C.F.R. \xc2\xa71228.58.\xe2\x80\x9d17\n\nConclusion. An inactive agency-wide staff assistance program can cause\nconfusion among POCs. Misunderstanding of records management\nresponsibilities prevents organizations from achieving the benefits of a well-\nmanaged program, such as maintaining institutional knowledge and preserving\npertinent information.\n\nORMS should periodically conduct agency-wide staff assistance visits of SEC\xe2\x80\x99s\nrecords management programs in accordance with SECR 7-1, so they are aware\nof newly created records and they can provide assurance the SEC is properly\nretaining and scheduling records for disposition. Further, ORMS should inform\nSEC staff they can find answers to questions on the hyperlinks \xe2\x80\x9cHow to Request\nRecords\xe2\x80\x9d and \xe2\x80\x9cFrequently Asked Questions About Records,\xe2\x80\x9d that are located on\nthe SEC\xe2\x80\x99s Intranet. Useful answers to questions that can be found in the\nhyperlinks include \xe2\x80\x9cwhat I need to know about records management, recycling\nand destroying records, record retentions schedules, clearance from records\nmanagement for departing SEC employees,\xe2\x80\x9d etc.\n\n17\n     36 C.F.R. \xc2\xa7 1228.156 (f).\nSEC\xe2\x80\x99s Records Management Practices                               September 30, 2012\nReport No. 505\n\n                                      Page 6\n\x0c           Recommendation 1:\n\n           The Office of Support Operations should ensure the Office of Records\n           Management Services (ORMS) periodically conducts agency-wide staff\n           assistance visits of the Securities and Exchange Commission offices\xe2\x80\x99 and\n           divisions\xe2\x80\x99 records management programs in accordance with SECR 7-1,\n           Securities and Exchange Commission\xe2\x80\x99s Records Management Program.\n           To assist in this process, ORMS should develop a plan that identifies a\n           timeline for the conduct and scope of the staff assistance visits.\n\n           Management Comments. OSO concurred with this recommendation.\n           See Appendix VII for management\xe2\x80\x99s full comments.\n\n           OIG Analysis. We are pleased that OSO concurred with this\n           recommendation.\n\n\nFinding 2: Records Management Training Was Not\nProvided to All SEC Staff on Their\nResponsibilities\n           ORMS did not provide training on records management to\n           employees and POCs agency-wide on their responsibilities,\n           which is inconsistent with a requirement in 36 C.F.R. \xc2\xa7\n           1220.34(f).\n\nDuring the scope of our audit, we determined that ORMS readily answered\nquestions from agency staff that inquired about records matters and provided\nthem assistance. ORMS also conducts a 10-minute informative session on\nrecords management during SEC\xe2\x80\x99s New Employee Orientation for new\nemployees, contractors and interns. Additionally, ORMS conducted a training\nsession on records management at the Office of the Chief Operating Officer\xe2\x80\x99s\n(OCOO) Mission Support Conference that was held in February 2012.\n\nNonetheless, ORMS has not provided agency-wide records management training\nto all staff on a general basis regarding their records management\nresponsibilities, in accordance with 36 C.F.R. \xc2\xa7 1220.34(f). According to 36\nC.F.R. \xc2\xa7 1220.34(f), Federal agencies should \xe2\x80\x9cprovide guidance and training to\nall agency personnel on their records management responsibilities, including the\nidentification of Federal records, in all formats and media.\xe2\x80\x9d18 It should be noted\nthat 36 C.F.R. \xc2\xa7 1220.34 does not address the frequency training should be\noffered to staff.\n\n18\n     36 C.F.R. \xc2\xa71220.34 (f).\nSEC\xe2\x80\x99s Records Management Practices                                 September 30, 2012\nReport No. 505\n\n                                        Page 7\n\x0cIn the survey OIG administered to records management POCs, 82 percent of the\nrespondents indicated they had not received any records management training\nfrom ORMS. Our audit found that this lack of training has caused confusion\namong employees who do not understand their records management\nresponsibilities or ORMS\xe2\x80\x99 role and responsibilities. The following examples\nillustrate the confusion regarding records management that POCs shared with\nOIG:\n\n   \xef\x82\xb7   A POC stated that based on her understanding of the\n       Federal regulations related to records management, she\n       thought it was ORMS\xe2\x80\x99 responsibility to review their records\n       retention schedule and to dispose of records.\n\n   \xef\x82\xb7   A senior level staff member who no longer works at the SEC,\n       left documents in her office and staff did not know who had\n       the responsibility to review them and if the documents\n       should be retained or disposed.\n\nORMS Records Management Program and Training. Since January 2012,\nORMS has provided records management training to five Regional Offices.\nFeedback from the Regional Offices indicates the training has been helpful. In\nearly May 2012, ORMS hired two branch chiefs to assist with records operations\nand policy, training and compliance. ORMS\xe2\x80\x99 management says the branch\nchiefs will prepare a branch specific strategic plan and establish a program that\noffers periodic records management training to SEC employees.\n\nThe lack of systematic records management training has resulted in POCs\nretaining records that probably should have been disposed.\n\nOther Agencies\xe2\x80\x99 Records Management Programs and Training. NARA\nprovided OIG with the names of three Federal agencies they believe have well-\nmanaged records program. Two agencies responded to our request for\nfeedback on their programs. Both agencies told us they provide ongoing training\nthrough web-based, on-line, and in-person avenues. They further offer training\non a variety of records management subjects and the training varies depending\non the audience. For instance, different training courses are available for agency\nemployees needing basic records management knowledge and for records\nmanagement POCs who are more familiar with records management regulations.\n\nConclusion. ORMS did not provide records management training to staff\nagency-wide on their records management responsibilities. As a result,\nconfusion exists regarding their responsibilities and ORMS\xe2\x80\x99 records management\nrole and responsibilities. ORMS should develop a systematic records\nmanagement training program that is geared towards all SEC staff and then\nprovide training to all.\nSEC\xe2\x80\x99s Records Management Practices                               September 30, 2012\nReport No. 505\n\n                                     Page 8\n\x0c        Recommendation 2:\n\n        The Office of Support Operations should ensure the Office of Records\n        Management Services (ORMS) develops a records management training\n        program that covers training sessions for all Securities and Exchange\n        Commission employees. ORMS should determine the audience, scope,\n        material, and training schedule. Training factors ORMS should consider\n        include defining records, how to treat records in accordance with Federal\n        regulations and records retention schedule, records management\n        responsibilities for employees and designated points-of-contact.\n\n        Management Comments. OSO concurred with this recommendation.\n        See Appendix VII for management\xe2\x80\x99s full comments.\n\n        OIG Analysis. We are pleased that OSO concurred with this\n        recommendation.\n\n\nFinding 3: Some Records Requests Processing\nDid Not Align With ORMS\xe2\x80\x99 Established Business\nGoals and Records Requests Were Not\nCompleted in Accordance with the SOP\n        ORMS did not process records requests within their\n        established internal business goals. In most cases ORMS\n        staff did not inform its management about the delays in\n        writing, as required per the office\xe2\x80\x99s SOP. Further, ORMS\n        staff did not follow their SOP when processing records\n        requests the office received.\n\nORMS Services and Processes\nORMS provides reference services to staff, as well as \xe2\x80\x9cother Federal, state and\nlocal entities and members of the public that are essential in assisting the SEC in\nachieving its mission.\xe2\x80\x9d19 Additionally, ORMS \xe2\x80\x9ccoordinates with the Commission\xe2\x80\x99s\nOffice of Investor Education and Advocacy and Public Reference Room to\nservice records reference requests from the public\xe2\x80\x9d20 and assists the Office of\nFOIA Services with responding to FOIA requests from the public for nonpublic\nrecords.\n\n19\n   ORMS, Standard Operating Policy for Properly Servicing and Completing a Request for Records \xe2\x80\x93 the\nLifecycle of a Request, p.1.\n20\n   Id.\nSEC\xe2\x80\x99s Records Management Practices                                                September 30, 2012\nReport No. 505\n\n                                               Page 9\n\x0cORMS only accepts records requests from SEC employees. SEC employees\ncan request records by completing the \xe2\x80\x9cRequest For Records Template\xe2\x80\x9d that is\navailable on SEC\xe2\x80\x99s Intranet. Completed templates are emailed to ORMS\xe2\x80\x99\nrecords requests inbox. ORMS maintains a log of record requests to track when\nrecords are received and processed. Among other items, the template includes\na box that can be checked covering areas such as confidential treatment\nrequests files, correspondence, investigation records, matters under inquiry\nrecords, transcripts, workpapers, consumer complaint files, Congressional and\nChairman files, administrative proceedings files, self-regulatory files, bankruptcy\nfiles, and effective orders, etc. Based on fiscal years 2010 and 2011 data we\nreviewed, OIG determined that ORMS receives approximately 210 records\nrequests each month from SEC employees and FOIA. 21\n\nORMS\xe2\x80\x99 SOP indicates the office\xe2\x80\x99s goal is to process requested records within\nthree business days for urgent requests and seven business days for non-urgent\nrequests.22\n\nRecords Requests. To assess the average length of time ORMS spent\nprocessing records requests, OIG obtained and reviewed a sample of 105\nrecords requests23 the office had received. Thirty-eight (38) of 105 records in our\nsample were for non-urgent requests. Our analysis revealed they were not\nprocessed within ORMS\xe2\x80\x99 seven business days goal for non-urgent requests. In\nsome cases it took ORMS up to eight months to process requests. ORMS\ninformed OIG that the delays occurred because some of their staff lacked the\nskills and aptitude needed to properly process requests in a timely fashion.\n\nORMS data on its records requests turnaround time revealed that 80 percent of\nrecords requested in fiscal year 2012 were processed within eight business days.\n\nRequests and ORMS\xe2\x80\x99 SOP. Our audit determined that ORMS staff did not\nfollow its SOP that requires them to notify management regarding delays that\noccur when they processed records that took more than 20 days. ORMS\ninformed us this requirement became effective August 24, 2009. OIG found that\nit took more than 20 days to process 10 of 38 non-urgent records requests in our\nsample. Only 1 of the 10 requests indicated the reason for the delay was\ncommunicated to management. ORMS informed us that although the delay was\nnot properly identified on the records request document, it is possible staff\nverbally communicated the reasons for the delay to management; however it was\nnot documented according to the office\xe2\x80\x99s SOP.\n\n\n\n21\n   The public submits FOIA requests for SEC records to the Office of FOIA Services.\n22\n   ORMS, Standard Operating Policy for Properly Servicing and Completing a Request for Records \xe2\x80\x93 the\nLifecycle of a Request, p.1.\n23\n   Our sample included urgent and non-urgent requests dating from January 2008 to September 2011.\nSEC\xe2\x80\x99s Records Management Practices                                                September 30, 2012\nReport No. 505\n\n                                              Page 10\n\x0cORMS\xe2\x80\x99 SOP further requires its employees to \xe2\x80\x9cplace copies of all documents\n(emails, notes or any other information) pertaining to requests in the dossier and\nreturn the assigned request for records in the dossier to ORMS staff members\nwho are responsible for managing the request for records mailbox and log, the\nORMS Chief, or his (her) designee.\xe2\x80\x9d 24 For 18 of 105 records in our sample,\nsufficient information was not identified in the dossier such as the request form,\nstatus of the request, and completion date. This lack of information prevented\nOIG from determining what the requests were and whether the requests were\ncompleted.\n\nORMS\xe2\x80\x99 SOP also requires the \xe2\x80\x9cstaffer who processed the records request returns\nthe assigned request for records dossier to the ORMS staffer responsible for\nmanaging the request for records mailbox and log, the ORMS Chief or designee.\nThe ORMS employee responsible for managing the records requests mailbox\nand log uses the supporting documentation to code the requested service. [The]\nORMS staff [who completed the records request] does not code the serviced\nrequest.\xe2\x80\x9d25 ORMS uses a system of \xe2\x80\x9capproved codes\xe2\x80\x9d as shown in Table 1\nbelow, to assess the status of records requests the office receives.\n\n           Table 1: ORMS Approved Action Codes for Records Requests\n            ORMS             Action Taken for the Request\n            Code\n                0        Requestor cancelled the records request.\n                1        ORMS closed the records request by referring the requestor to\n                         other sources such as SEC subscription database.\n                2        ORMS completed the records request.\n                R        ORMS reassigned the records request to another staff\n                         member.\n          Source: OIG generated\n\nThere were 2 of 105 records in our sample coded as \xe2\x80\x9c2-completed requests,\xe2\x80\x9d but\nORMS could not locate these records. To aid in resolving this problem, ORMS\nshould develop a new code to categorize requested records that cannot be\nlocated. ORMS management agreed a new code is needed. ORMS further\nstated its staff had previously made this suggestion, but due to other priorities it\nwas not pursued further.\n\nAnother record in our sample was coded as \xe2\x80\x9c8.\xe2\x80\x9d ORMS management told us the\ncode had not been approved and staff had developed it to describe actions they\nhad taken.\n\nWhen asked whether ORMS reviews a sample number of processed records\nrequests, we were told the office had done so in the past, but not consistently.\n\n24\n   ORMS, Standard Operating Policy for Properly Servicing and Completing a Request for Records \xe2\x80\x93 the\nLifecycle of a Request, p. 7.\n25\n   Id.\nSEC\xe2\x80\x99s Records Management Practices                                                September 30, 2012\nReport No. 505\n\n                                              Page 11\n\x0cORMS believes the office can best monitor records requests and other items if\nthe process is automated.\n\nBest Practices. In identifying best practices, OIG consulted with a records\nofficer from another Federal agency who told us their automated records\nmanagement system contributes to the office\xe2\x80\x99s efficiency. She further relayed\nthat the records management system \xe2\x80\x9chas outstanding features such as tracking\nrecords, when the records are due back to the records office, what records are\nup for destruction, etc. It has allowed the records office to locate where records\nare and better track them and identify where permanent assets are.\xe2\x80\x9d Having an\nautomated system for records management may contribute to ORMS efficiently\noverseeing the SEC\xe2\x80\x99s records management program.\n\nConclusion. As evidenced by OIG\xe2\x80\x99s review of a sample number of records\nrequests, some ORMS staff did not follow the office\xe2\x80\x99s SOP records requests\nprocedures and requests were not completed within ORMS\xe2\x80\x99 goal. ORMS should\nimplement additional internal controls such as a more robust management review\nof records requests to ensure staff complete requests within its goal and they\ncomply with their SOP (e.g., including required information in a dossier and\nnotifying management of delays in processing records that take more than 20\ndays).\n\nThe Office of Management and Budget Circular A-123 \xe2\x80\x9cManagement\xe2\x80\x99s\nResponsibility for Internal Control\xe2\x80\x9d establishes that management has a\nfundamental responsibility to develop and maintain effective internal controls.\nIneffective internal controls have prevented ORMS from timely processing\nrecords requests and it has led to confusion on whether records were completed.\nFurther, \xe2\x80\x9ceffective controls over the creation, maintenance, and use of records in\nits current business\xe2\x80\x9d26 will aid ORMS improve the management and maintenance\nof the SEC\xe2\x80\x99s records management program.\n\n           Recommendation 3:\n\n           The Office of Support Operations should ensure the Office of Records\n           Management Services (ORMS) develops internal controls that assure\n           ORMS staff are provided oversight and adhere to the office\xe2\x80\x99s standard\n           operating policy.\n\n           Management Comments. OSO concurred with this recommendation.\n           See Appendix VII for management\xe2\x80\x99s full comments.\n\n           OIG Analysis. We are pleased that OSO concurred with this\n           recommendation.\n\n26\n     36 C.F.R. \xc2\xa7 1220.30.\nSEC\xe2\x80\x99s Records Management Practices                                 September 30, 2012\nReport No. 505\n\n                                        Page 12\n\x0cFinding 4: Some SEC Offices or Divisions Do Not\nHave Records Retention Schedules and Others\nShould Be Updated\n        SEC has newly created offices that do not have records\n        retention schedules and there are other offices that ORMS\n        has not met with to create their records retention schedules.\n\nAccording to NARA, Federal agencies are to \xe2\x80\x9cdevelop records schedules for all\nrecords created and received by the agency and obtain NARA approval of the\nschedules prior to implementation, in accordance with 36 C.F.R. parts 1225 and\n1226.\xe2\x80\x9d27 Federal agencies have common records such as personnel, payroll,\nand training records that NARA has classified and are included in General\nRecords Schedules (GRS). GRS are \xe2\x80\x9cissued by the management of the United\nStates to provide disposition authorization for records common to several or all\nagencies of the Federal Government. They include records relating to civilian\npersonnel, fiscal accounting, procurement, communications, printing, and other\ncommon functions, and certain non-textual records. They also include records\nrelating to temporary commissions, boards, councils and committees. Because\nthese schedules are designed to cover records common to several agencies,\nmany record descriptions are general. Agency records officers may either use\nthe schedules as an appendix to an agency printed schedule or tailor the general\nschedules to the agency\xe2\x80\x99s own particular needs and incorporate them into\nagency schedules.\xe2\x80\x9d28 The SEC has five offices that are covered by GRS:29\n\n        1. Office of Equal Employment Opportunity\n        2. Office of Financial Management\n        3. Office of Human Resources (OHR)\n        4. Office of Information Technology (OIT)\n        5. Office of Support Operations\n\nAccording to SECR 7-1, Section B. 8, division directors, office heads, regional\ndirectors and district administrators should \xe2\x80\x9cmake sure that active records are\nproperly and economically maintained and used, and systematic disposition of\ninactive records are made on a regularly scheduled basis.\xe2\x80\x9d\n\nRecords Retention Schedules\n\nSEC offices and divisions are responsible for maintaining their records in\naccordance with their approved retention schedules. As previously discussed,\n\n27\n   36 C.F.R. \xc2\xa7 1220.34.\n28\n   GRS is the retention schedule for these offices. See NARA\xe2\x80\x99s website (http://www.archives.gov),\nIntroduction to the General Records Schedules.\n29\n   OCOO and OSS also have records that are on GRS, as well as records that are not on GRS.\nSEC\xe2\x80\x99s Records Management Practices                                                   September 30, 2012\nReport No. 505\n\n                                                Page 13\n\x0cmost offices and divisions have records retention schedules that have been filed\nwith ORMS. However, the SEC\xe2\x80\x99s comprehensive records schedule is dated\nSeptember 1997. Since then the SEC has added new offices and combined,\nabolished and/or renamed others. Some offices and divisions that are not\ncovered by GRS either do not have records retention schedules or are in the\nprocess of revising their current retention schedules.30 Additionally, the offices\nwhich fall under GRS do not have records retention schedules, other than GRS,\nwhich is the retention schedule for these offices.\n\nOur review of records retention schedules and records management processes\nfound that a particular division identified several risks for the division\xe2\x80\x99s records\nmanagement program such as identifying records owners and outdated records\nmanagement policies. Another office was in the process of redefining the\ndocuments it created and received from internal and external sources during our\naudit. Subsequently, the office conducted a full inventory to identify\n\xe2\x80\x9cscheduled\xe2\x80\x9d31 records and has been working with ORMS to get its\n\xe2\x80\x9cunscheduled\xe2\x80\x9d32 records appropriately scheduled.\n\nOIG further identified POCs from two offices who had not met with ORMS\nregarding documents the office generated that met the records definition or to\ndetermine if a retention schedule was needed. One of the offices indicated that\nin late 2011, staff turned over in its records management function. The office\nrecently hired a managing executive and a business manager to enhance its\noperational functions which includes records management. The POC indicated\nthe office\xe2\x80\x99s prior records management practice was to work with ORMS as issues\narose and they had no continuous or consistent contact with ORMS. The office\nsubsequently met with ORMS to identify its records and modify its records\nretention schedule.\n\nA POC from the second office in our example informed OIG he did not think his\noffice had created any records. The POC stated the records the office \xe2\x80\x9ccreate[s]\nwould be typically managed in systems or files external to [their] office.\xe2\x80\x9d He also\nsaid they would \xe2\x80\x9crely on the email retention mechanisms to manage those\nexternal records to their office. [Hence], the office does not have any specific\npractices and procedures defined [for records management] and [they] do not\nhave retention schedules beyond those of the Commission\xe2\x80\x99s policies as a whole.\xe2\x80\x9d\n\n\n\n30\n   While the retention schedules are being revised, SEC offices and divisions are expected to follow their\ncurrent records retention schedules.\n31\n   Scheduled records represent federal records whose final disposition is approved by NARA. Scheduled\nrecords are identified in a records retention schedule when the records will be destroyed.\n32\n   Unscheduled records represent federal records whose final dispositions have not been approved by\nNARA, and are based on the Form SF 115, Request for Records Disposition Authority. NARA requires that\nunscheduled records must be treated as permanent records until it approves a final disposition for the\nrecords.\nSEC\xe2\x80\x99s Records Management Practices                                                  September 30, 2012\nReport No. 505\n\n                                                Page 14\n\x0cForty-two percent of personnel in our survey indicated their office or division did\nnot have a records retention schedule. This indicates there is a lack of\nunderstanding of records retention schedules. For example, a records\nmanagement POC initially thought his office had not finalized its records\nretention schedule. However, our review of ORMS\xe2\x80\x99 comprehensive records\nschedule and inquiries revealed the office did in fact have a schedule.\n\nORMS should ensure the SEC\xe2\x80\x99s records retention schedules are current. Not\nhaving records retention schedules for all offices and divisions could cause\nPOCs to misunderstand their roles and responsibilities. In addition, it could\npotentially result in retaining unnecessary records or discard records that should\nhave been preserved. ORMS\xe2\x80\x99 management informed us that while they want to\nactively interact with SEC offices and divisions on a continuous basis, it does not\nhave sufficient resources to do so. A few POCs informed us that ORMS should\nactively engage with Commission\xe2\x80\x99s offices and divisions to ensure that robust\nrecords management processes and procedures are in place and are being\ncarried out by Commission staff.\n\n       Recommendation 4:\n\n       The Office of Support Operations should ensure the Office of Records\n       Management Services (ORMS) works with the Securities and Exchange\n       Commission (SEC) offices and divisions to ensure they all have current\n       records retention schedules that encompass the office\xe2\x80\x99s or division\xe2\x80\x99s\n       records. Accordingly, ORMS should determine whether it should update\n       the SEC\xe2\x80\x99s comprehensive records retention schedule to ensure it is\n       reflective of current SEC offices\xe2\x80\x99 and divisions\xe2\x80\x99 records.\n\n       Management Comments. OSO concurred with this recommendation.\n       See Appendix VII for management\xe2\x80\x99s full comments.\n\n       OIG Analysis. We are pleased that OSO concurred with this\n       recommendation.\n\n\n\n\nSEC\xe2\x80\x99s Records Management Practices                                 September 30, 2012\nReport No. 505\n\n                                      Page 15\n\x0cFinding 5: Some SEC Offices and Divisions Did\nNot Review Their Records Retention Schedules\nand Dispose of Records in Accordance with Their\nSchedules\n       Some offices and divisions kept all the records they\n       created and received and did not periodically review\n       their records retention schedules and dispose of\n       records in accordance with their schedules.\n\nSome offices keep all the records they create and receive. This could potentially\nlead to inefficient utilization of office space in the future. An office that was\nestablished in 2009 indicated they maintained the records the office created.\nThey are in the process of creating a records retention schedule. ORMS\nindicated that as of late July 2012, NARA was reviewing this office\xe2\x80\x99s records\nretention schedule.\n\nA POC informed OIG that it does not have a records retention schedule, but has\nmet with ORMS to discuss what type of records it has and to determine if a\nrecords retention schedule is necessary. The POC believes that from a risk\nperspective, because the office has approximately 50 employees and generally\ndoes not generate or receive many original records, a records retention schedule\nmay not be needed. He further said many of their employees work in a field that\nencourages the preservation of documents. The office maintains a file room that\nhas historical documents dating back to the 1940s. ORMS was unaware the\noffice had not disposed of any records. OIG confirmed that the office does have\na records retention schedule. Subsequently, ORMS met with the POC to discuss\nthe office\xe2\x80\x99s records and scheduling processes.\n\nOIG met with two POCs whose records are covered by GRS. The first POC\ninformed us they had not reviewed records management regulations regarding\ndisposing and managing the office\xe2\x80\x99s records, due to a lack of resources. She\nfurther indicated the office needed training on records management. ORMS\xe2\x80\x99\nmanagement told OIG that because its office follows GRS their records should\nbe disposed of in accordance with GRS, which requires that most records have a\ntwo-year retention period. The second POC stated since her arrival at the SEC\nin November 2009, the office had not reviewed their records to determine how\nand what should be disposed of, and had contacted NARA for guidance. The\noffice plans to review the disposition of its records in the near future.\n\n\n\n\nSEC\xe2\x80\x99s Records Management Practices                              September 30, 2012\nReport No. 505\n\n                                     Page 16\n\x0cBacklog of Records at FRC Need to Be Reviewed. Additionally, our audit\nfound that ORMS had not reviewed the content of 256 boxes their contractor\nidentified in its November 2010 report. The boxes contained records ORMS\nreceived from various sources and ORMS needs to review the content of the\nboxes to determine the disposition and dates of the records.33 In September\n2012, ORMS informed OIG that it has now reviewed 98 boxes and they are\ncoordinating with the FRC to review the content of the remaining boxes.\n\nProper Records Management Procedures. We determined that many offices\nand divisions do not have proper records management procedures and do not\nensure active records are properly and economically maintained and used on a\nregular basis. Further, the systematic disposition of inactive records is not\nregularly performed. Many POCs indicated they are unsure when the offices\xe2\x80\x99\nand divisions\xe2\x80\x99 records should be disposed of and do not do so annually.\n\nWhen a FOIA request for a record is received and the record is available,\nFederal agencies are expected to provide the record after a reasonable research\nhas been conducted. Whether the record should be disposed of in accordance\nwith the retention schedule is irrelevant. If the record exists, even though it\nshould have been disposed of in accordance with the retention schedule, the\nSEC is required to provide it in a FOIA request. As such, there is a risk the SEC\ncould provide information that should have been disposed. The FOIA office\ninformed OIG that during the litigation discovery period for records, Federal\nagencies are expected to perform extensive searches and provide the record if\nthe agency has it, regardless of the record\xe2\x80\x99s retention period.\n\nNot having a records management program or procedures that enable offices\nand divisions to review records retention schedule and to properly dispose of\nrecords violates 36 C.F.R. \xc2\xa7 1220.34(d) which states that agencies must \xe2\x80\x9cassign\nrecords management responsibilities in each program (mission) and\nadministrative area to ensure the incorporation of recordkeeping requirements\nand records maintenance, storage, and disposition practices into agency\nprograms, processes, system and procedures. Moreover, it violates 36 C.F.R. \xc2\xa7\n1220.34 (g) which states that agencies must \xe2\x80\x9cdevelop records schedules for all\nrecords created and received by the agency and obtain NARA approval of the\nschedules prior to implementation, in accordance with 36 C.F.R. \xc2\xa7 1225 and\n1226.\xe2\x80\x9d34\n\nORMS has not periodically contacted all records management POCs and\nprovided them with guidance regarding their responsibility to identify records for\ndisposal. By not disposing of records in a timely manner and taking full action to\n\n\n33\n   The report ORMS\xe2\x80\x99 contractor issued in November 2010 identified the 256 boxes. ORMS stated the initial\nsize of the backlog was approximately 1,000 boxes.\n34\n   36 C.F.R. \xc2\xa7 1220.34 (d) and (g).\nSEC\xe2\x80\x99s Records Management Practices                                                 September 30, 2012\nReport No. 505\n\n                                               Page 17\n\x0cpreserve records having no administrative, legal, or other value, could cause the\nSEC to inefficiently use office space and increase the cost to preserve records.\n\nConclusion. Several offices did not dispose of their records in accordance with\nthe records retention schedules. Additionally, our audit revealed that ORMS has\na backlog of records that was identified in 2010 that still needs to be reviewed to\ndetermine the proper treatment of the records. ORMS\xe2\x80\x99 actions has led non-\ncompliance with Federal regulations that requires records be properly disposed\nof based on the records retention schedules. Further, not disposing of records in\naccordance with the records retention schedules poses a risk the SEC is\nproviding information when a FOIA request is made.\n\n       Recommendation 5:\n\n       The Office of Support Operations should ensure the Office of Records\n       Management Services establishes records management procedures that\n       enable the offices and divisions to properly manage their records in\n       accordance with applicable federal regulations and Securities and\n       Exchange Commission\xe2\x80\x99s administrative regulations.\n\n       Management Comments. OSO concurred with this recommendation.\n       See Appendix VII for management\xe2\x80\x99s full comments.\n\n       OIG Analysis. We are pleased that OSO concurred with this\n       recommendation.\n\n       Recommendation 6:\n\n       The Office of Support Operations should ensure the Office of Records\n       Management Services establishes a definitive plan and milestones to\n       review the remaining backlog of boxes that are being maintained at the\n       Federal Records Center and ensures proper disposition of the records that\n       are contained in the boxes.\n\n       Management Comments. OSO concurred with this recommendation.\n       See Appendix VII for management\xe2\x80\x99s full comments.\n\n       OIG Analysis. We are pleased that OSO concurred with this\n       recommendation.\n\n\n\n\nSEC\xe2\x80\x99s Records Management Practices                                September 30, 2012\nReport No. 505\n\n                                     Page 18\n\x0c         Recommendation 7:\n\n         The Office of Support Operations should ensure the Office of Records\n         Management Services provides guidance to records management points-\n         of-contact and requires, at least annually, they determine whether there\n         are any records requiring disposal for their individual offices and divisions.\n\n         Management Comments. OSO concurred with this recommendation.\n         See Appendix VII for management\xe2\x80\x99s full comments.\n\n         OIG Analysis. We are pleased that OSO concurred with this\n         recommendation.\n\n\nFinding 6: The Backlog of Records Being\nMaintained at FRC Were Not Reviewed\n         ORMS has 10-year backlog of SEC records at the FRC that\n         are eligible for destruction and they did not review and\n         approve the records for destruction.\n\nORMS has not timely reviewed Commission records that are eligible for\ndestruction. ORMS Archivist inherited a substantial backlog of records upon his\narrival to the SEC in May 2007. The backlog represents approximately 10 years\nof records that are eligible for destruction. ORMS must review and approve\nthese records before they can be destroyed.\n\nORMS Records Disposal Cycle. At the end of each fiscal year FRC sends a\nrecords disposal form to ORMS that lists all the SEC\xe2\x80\x99s records in their\npossession that are eligible for permanent destruction. The disposition form\nincludes a job number and the year the record is due to be destroyed. The form\nalso identifies if the records are temporary. FRC submits a request to ORMS for\nits approval before it destroys the records.35\n\nFRC informed ORMS they had 29,345 cubic feet of records eligible for\ndestruction at the end of fiscal year 2011. ORMS approved the destruction of\n2,306 cubic feet of these records. We concluded that had ORMS timely\nreviewed the records in prior years, the backlog would not exist.\n\n\n\n35\n   44 U.S.C., Disposal of Records, \xc2\xa7 3303a(e), requires an examination by Archivist of lists and schedules of\nrecords lacking preservation value. Further, it states \xe2\x80\x9c[The Archivist of the United States] may approve and\neffect the disposal of records that are in his legal custody, provided that records that had been in the custody\nof another existing agency may not be disposed of without the written consent of the head of the agency.\xe2\x80\x9d\nSEC\xe2\x80\x99s Records Management Practices                                                      September 30, 2012\nReport No. 505\n\n                                                  Page 19\n\x0cAs part of our sampling, OIG requested the following information from ORMS:\n\n     \xef\x82\xb7   The number of records ORMS disposed of each year;\n     \xef\x82\xb7   The number of records that remains to be destroyed by year; and\n     \xef\x82\xb7   The total number of records the SEC created from 1999 to 2011.\n\nORMS was unable to provide the information we requested because it does not\nhave a viable method to track the information.\n\nFurther, OIG found that ORMS does not maintain a list of the Commission\nrecords that are eligible for destruction identified by FRC. However, the office\ndoes maintain hard copies of the disposal forms the FRC provides to ORMS.\nOIG\xe2\x80\x99s review of the approved disposal forms for fiscal year 2011 found that a\nform was completed for all disposals and the disposals were properly approved.\n\nOIG could not perform a walkthrough of ORMS\xe2\x80\x99 record disposal process because\nour observation of their records indexing36 was problematic.37 For example,\nbased on ORMS\xe2\x80\x99 record indexing we requested records for our review.\nHowever, none of the records were found because the index was incorrect.\nORMS says the indexing problem only exists for records that were created\nbefore 2008. Further, ORMS stated until they can do a full inventory of the\nCommission\xe2\x80\x99s records that are located at the FRC and verify the records, none of\nthem can be destroyed.\n\nConclusion. ORMS did not dispose of SEC records in accordance with the\nretention schedules, which is inconsistent with 44 U.S.C. \xc2\xa7 3102, Establishment\nof Program of Management, that requires Federal agencies establish and\nmaintain an active, continuing program for the economical and efficient\nmanagement of the agency records.38\n\n         Recommendation 8:\n\n         The Office of Support Operations should ensure the Office of Records\n         Management Services (ORMS) develops an action plan to address the\n         10-year backlog of records that the Federal Records Center (FRC)\n         identified as eligible for destruction. In developing an action plan, ORMS\n         should determine a timeline to address the backlog of records, a timeline\n         to conduct a full inventory of the Security and Exchange Commission\xe2\x80\x99s\n         records, and how ORMS will address the indexing system for archived\n         records.\n\n\n36\n   ORMS indexes records by maintaining a log that states where the records are located.\n37\n   In September 2012, ORMS management informed OIG that the records have been reviewed and legacy\nissues were identified that must now be resolved before the records can be approved for destruction.\n38\n   44 U.S.C. \xc2\xa7 3102.\nSEC\xe2\x80\x99s Records Management Practices                                              September 30, 2012\nReport No. 505\n\n                                             Page 20\n\x0c           Management Comments. OSO concurred with this recommendation.\n           See Appendix VII for management\xe2\x80\x99s full comments.\n\n           OIG Analysis. We are pleased that OSO concurred with this\n           recommendation.\n\n\nFinding 7: Records Management Points-of-\nContact Have Not Been Identified for All SEC\nOffices and Divisions\n           While most offices and divisions have appointed POCs for\n           records management matters, some have not; therefore,\n           ORMS cannot clearly identify POCs for each office or\n           division. OIG could not determine who all the designated\n           records management POCs were for individual offices or\n           divisions based on ORMS\xe2\x80\x99 listing of meetings held with SEC\n           offices and divisions for records management matters.\n\nNARA, 36 C.F.R., Section 1220.34(d) requires Federal agencies to \xe2\x80\x9cassign\nrecords management responsibilities in each program (mission) and\nadministrative area to ensure incorporation of recordkeeping requirements and\nrecords maintenance, storage, and disposition practices into agency programs,\nprocesses, systems, and procedures.\xe2\x80\x9d39\n\nOIG requested a list of SEC\xe2\x80\x99s records management POCs and learned that\nalthough ORMS does not maintain an official listing, it has a list of offices and the\nnames of people they worked with on records management matters. At the SEC,\nbusiness managers and administrative officers typically serve as records\nmanagement POCs, but other employees such as assistant directors, legal\ncounsel, etc., also serve in this role. ORMS has established relationships with\noffices and divisions and they address any questions and concerns the may have\nregarding records matters. ORMS provided us with a list of employees they met\nwith over the past few years regarding records matters, and employees they\nconsider to be POCs.\n\nWe determined that ORMS\xe2\x80\x99 list needs to be updated to include all POCs. While\nmost offices and divisions have appointed POCs for records management\nmatters, some have not. Moreover, our audit found some offices and divisions\ndid not have designated POCs until 2011 or 2012. Furthermore, there appears\nto be confusion between ORMS and offices and divisions pertaining to who is\n\n39\n     36 C.F.R. \xc2\xa7 1220.34(d).\nSEC\xe2\x80\x99s Records Management Practices                                 September 30, 2012\nReport No. 505\n\n                                       Page 21\n\x0cdesignated as the records management POC. For example, OIG was informed\nof a particular employee who had been the office\xe2\x80\x99s records management POC\nsince the 1990s, but he was not on ORMS\xe2\x80\x99 list. In another instance, ORMS\xe2\x80\x99 list\nidentified an employee from an office as the records management POC.\nHowever, the employee said he only worked with ORMS on records matters for\nhis branch and not for the entire office. We later found that the office director had\nassigned its assistant directors as records management POCs. However, the\nnames of the assistant directors were not on ORMS\xe2\x80\x99 records management list.\nMoreover, an employee ORMS identified as a POC for another office told OIG\nshe was not the records management POC. OIG was later informed that the\nhead of the office, along with two employees, were responsible for the office\xe2\x80\x99s\nrecords; however, they were not identified as POCs on ORMS\xe2\x80\x99 list. Further, an\noffice told us they did not have a POC due to staff turnover. Subsequently, the\noffice appointed a records management POC. Lastly, one office just designated\na records management POC in January 2012.\n\nAdditionally, our audit found that ORMS has not reviewed the records\nmanagement program of two headquarters offices. ORMS stated that one of the\noffice directors started at the SEC in November 2011, and due to other priorities\nthey had not contacted the office but planned to do so. ORMS told us that not all\noffices and divisions consider records management a priority and it has been\ndifficult for certain offices and divisions to focus on records management\npractices. This is consistent with NARA officials\xe2\x80\x99 observations. NARA officials\ntold us that the lack of priority for records management is common in Federal\nagencies. However, because of a records destruction matter that occurred at the\nSEC, it appears offices and divisions are now more supportive of ORMS\xe2\x80\x99\ninitiatives.\n\nA management official informed us she thought ORMS was responsible for\nreviewing the office\xe2\x80\x99s retention schedule, when in fact this responsibility resides\nwith each office or division. Further, an administrative officer who serves as the\nrecords management POC stated she has not worked with ORMS since 2008\nand was unfamiliar with record rules and ORMS\xe2\x80\x99 responsibilities.\n\nBased on a recommendation from NARA, OIG contacted two Federal agencies\nand an independent Federal agency from the financial industry, and asked them\nhow they communicated with offices in their agencies regarding records\nmanagement matters. The agencies told us they have records management\nPOCs in each office at their respective agency.\n\nConclusion. SEC\xe2\x80\x99s records management directives do not require offices or\ndivisions to have records management POCs. ORMS management agrees that\nestablishing records management POCs for all offices and divisions is important,\nbut say they need the support and assistance of SEC offices and divisions to do\nso.\n\nSEC\xe2\x80\x99s Records Management Practices                                 September 30, 2012\nReport No. 505\n\n                                      Page 22\n\x0cNot having records management POCs has contributed to ineffective\ncommunication between ORMS and SEC offices and divisions on records\nmanagement matters, such as misunderstandings regarding responsibilities and\nstaff not properly following Federal regulations and SEC policies on records\nmanagement.\n\n        Recommendation 9:\n\n        The Office of Support Operations should ensure the Office of Records\n        Management Services (ORMS) issues a directive, requiring all Securities\n        and Exchange Commission offices and divisions to designate a point-of-\n        contact (POC) for records management matters and inform ORMS of their\n        designated POC. ORMS should maintain a list of POCs that is verified\n        annually.\n\n        Management Comments. OSO concurred with this recommendation.\n        See Appendix VII for management\xe2\x80\x99s full comments.\n\n        OIG Analysis. We are pleased that OSO concurred with this\n        recommendation.\n\n\nFinding 8: SEC\xe2\x80\x99s Vital Records Management\nProgram Needs Improvement\n        Offices and divisions are not reviewing their vital records\n        listing annually in compliance with Federal regulations.\n        Further, we determined the SEC\xe2\x80\x99s vital records are not\n        current and complete based on our review of vital records in\n        12 offices and divisions.\n\nDesignated staff in SEC offices and divisions are not annually reviewing and/or\nupdating their vital records in accordance with Federal Continuity Directive 1\n(FCD 1), Federal Executive Branch National Continuity Program and\nRequirements, which states that \xe2\x80\x9cat a minimum, vital records should be annually\nreviewed, rotated, or cycled so that the latest version will be available.\xe2\x80\x9d40\nFurther, the SEC is not in compliance with 36 C.F.R. \xc2\xa7 1223.14(c) which states\nthat agencies must \xe2\x80\x9censure that the designation of vital records is current and\ncomplete.\xe2\x80\x9d\n\n\n\n40\n  Federal Continuity Directive 1 (FCD 1), Federal Executive Branch National Continuity Program and\nRequirements, (Feb. 2008), Annex I, p. I-3.\nSEC\xe2\x80\x99s Records Management Practices                                                 September 30, 2012\nReport No. 505\n\n                                               Page 23\n\x0cOSS is responsible for SEC\xe2\x80\x99s vital records management. OSS provided OIG\nwith the SEC\xe2\x80\x99s Continuity of Operations (COOP) Plan (2010 COOP Plan), dated\nApril 2010, which included a listing of vital records for SEC offices and divisions.\nOIG also obtained and reviewed SEC\xe2\x80\x99s draft 2011 vital records listing. We found\nthat the 2010 COOP Plan and the draft 2011 vital records listing include vital\nrecords of an office that no longer exists and whose function was merged into\nanother office that was created in September 2009.\n\nVital Records at the SEC. According to SEC\xe2\x80\x99s 2010 COOP plan, vital records\nare \xe2\x80\x9celectronic and hardcopy documents, references, and records needed to\nsupport essential functions during a continuity of operations situation. The two\nbasic categories of records are emergency operating records and legal and\nfinancial records.\xe2\x80\x9d SEC defines emergency operating records as \xe2\x80\x9crecords that\nsupport the execution of an agency\xe2\x80\x99s essential functions.\xe2\x80\x9d In addition, SEC\ndefines legal and financial records as \xe2\x80\x9crecords that are needed to protect the\nlegal and financial rights of the Government and of the persons affected by its\nactions.\xe2\x80\x9d\n\nSEC Offices and Divisions Are Not Reviewing Their Vital Records Listing\nAnnually. OIG interviewed staff from 12 offices and divisions that were on\nSEC\xe2\x80\x99s Continuity Task Force, and had responsibility for maintaining their office or\ndivision\xe2\x80\x99s vital records listing. 41 Staff was asked \xe2\x80\x9cWhen was the last time you\nreviewed and/or updated your vital records listing?\xe2\x80\x9d Our audit found the answers\nshown in Table 2.\n\n                        Table 2: Survey Results of SEC Offices and\n                        Divisions Vital Records Listings\n                          Number of                    Category Results\n                           Offices\n                                 2           Reviewed their vital records listing\n                                             annually\n                                 2           Reviewed their vital records listing\n                                             continuously\n                                 2           Did not review their vital records\n                                             listing annually\n                                 2           Reviewed their vital records listing a\n                                             year or more ago\n                                 3           Did not know when they last\n                                             reviewed or updated their vital\n                                             records listing\n                                1            Other\n                             Total 12\n                        Source: OIG Generated.\n\n\n\n41\n   SEC\xe2\x80\x99s Continuity Task Force was made up of agency-wide personal designees who have oversight of\ntheir offices\xe2\x80\x99 or divisions\xe2\x80\x99 vital records and periodically met with the defunct Office of the Executive Director\nto discuss COOP matters and their vital records responsibilities.\nSEC\xe2\x80\x99s Records Management Practices                                                         September 30, 2012\nReport No. 505\n\n                                                   Page 24\n\x0cOne designee in the \xe2\x80\x9creviewed their vital records listing continuously\xe2\x80\x9d category\nwas unable to provide the vital records listing due to staff turnover. One\ndesignee in the \xe2\x80\x9creviewed their vital records listing annually\xe2\x80\x9d category admitted\nthe last time they updated its vital records listing was in May 2010 in preparation\nfor the May 2010 exercise. The designee further stated the office reviews its vital\nrecords listing prior to the national COOP government exercise that occurs every\ntwo years. A second designee in this category stated that the last time they\nreviewed and updated its vital records listing was in June 2006. A designee in\nthe \xe2\x80\x9cdid not know when they last reviewed or updated their vital records listing\xe2\x80\x9d\ncategory stated that OSS recommended the office not rely on old vital records\nlisting and to disregard it because the list may contain items that are not vital\nrecords. Further, the designee stated OSS informed them that the way SEC\npreviously identified and maintained vital records may change. A designee in the\n\xe2\x80\x9creviewed their vital records listing a year or more ago\xe2\x80\x9d category stated that it\ncurrently updates the vital records listing as changes occur and they will review it\nquarterly. Finally, the designee in the \xe2\x80\x9cother\xe2\x80\x9d category stated that December\n2011 was the first time the office had formally reviewed and updated its vital\nrecords listing and the office has kept a catalog of its vital records from its\ninception in 2009.\n\nVital Records Listing. We obtained the 12 offices and divisions vital records\nlistings and compared them to the vital records that were included in the 2010\nCOOP Plan and the draft 2011 listing. Our testing revealed the following results\nas illustrated in Table 3.\n\n\n\n\nSEC\xe2\x80\x99s Records Management Practices                                September 30, 2012\nReport No. 505\n\n                                     Page 25\n\x0c     Table 3: Survey Results of SEC Offices and Divisions Vital Records\n     Listings, as Compared to the Vital Records in 2010 COOP Plan and\n     the Draft 2011 Listing\n                                                    Did Not       New Office-No\n                              Agreed   Did Not                                         No Vital\n                                                    Agree to     Vital Records in\n                  Vital         to      Agree                                          Records\n       Office/                                     Draft 2011      2010 COOP\n                 Records       2010    to 2010                                        Received\n      Division                                        Vital       Plan/No Draft\n                 Agreed       COOP      COOP                                         From Office/\n                                                    Records         2011 Vital\n                               Plan      Plan                                          Division\n                                                     Listing     Records Listing\n         1           \xef\x83\xbc\n         2           \xef\x83\xbc\n         3           \xef\x83\xbc\n         4                       \xef\x83\xbc                     \xef\x83\xbc\n         5                                 \xef\x83\xbc           \xef\x83\xbc\n         6                                 \xef\x83\xbc           \xef\x83\xbc\n         7                                 \xef\x83\xbc           \xef\x83\xbc\n         8                                                                               \xef\x83\xbc\n         9                                                                               \xef\x83\xbc\n         10                                                                              \xef\x83\xbc\n         11                                                                              \xef\x83\xbc\n         12                                                          \xef\x83\xbc\n     Source: OIG Generated.\n\nSpecifically, we found that only three offices and divisions records agreed to the\ndraft 2011 vital records list. OIG\xe2\x80\x99s findings demonstrate that although SEC\noffices and divisions are responsible for reviewing their vital records listing\nannually and updating the vital records as necessary, oversight is needed to\nensure all offices and divisions monitor their vital records listing at least annually\nand verify their compliance with Federal regulations.\n\nDefunct Office of the Executive Director. Prior to OSO the defunct Office of\nthe Executive Director was responsible for coordinating SEC\xe2\x80\x99s continuity efforts,\ncontinuity of operations,42 and vital records management which is a component\nof the COOP. The defunct Office of the Executive Director, with OIT\xe2\x80\x99s\nassistance, created the Continuity Support Center (CSC), which is a computer\nsystem that designated vital records staff in SEC offices and divisions could\naccess and post key documents and vital records electronically. Though OSS\xe2\x80\x99\nChief of Security Services says he has accessed the CSC, OSS has not\ndetermined if it will be used to maintain the SEC\xe2\x80\x99s vital records until a full\nassessment of the vital records program has been performed.\n\n42\n  Vital records management is a component of continuity of operations according to FEMA. See Elements\nof Viable Continuity Capability at http://www.fema.gov/about/org/ncp/coop/index.shtm. According to FEMA,\ncontinuity of operations, as defined in the National Security Presidential Directive-51/Homeland Security\nPresidential Directive-20 (NSPD-51/HSPD-20) and the National Continuity Policy Implementation Plan\n(NCPIP), is an effort within individual executive departments and agencies to ensure that Primary Mission\nEssential Functions (PMEF) continue to be performed during a wide range of emergencies, including\nlocalized acts of nature, accidents and technological or attack-related emergencies.\nSEC\xe2\x80\x99s Records Management Practices                                                  September 30, 2012\nReport No. 505\n\n                                               Page 26\n\x0cIn prior years the defunct Office of the Executive Director oversaw Continuity\nTask Force meetings that were held to keep vital records personnel abreast of\nCOOP matters and remind them to update their vital records. OIG reviewed a\ncopy of a Continuity Task Force meeting that was held on January 25, 2011.43\nThe agenda reminded staff that vital records listing should be updated\ncontinuously and kept available electronically and in hard-copy.\n\nOSS and ORMS Vital Records Roles. OSS\xe2\x80\x99 Chief of Security Services and\nORMS management are working together to evaluate the SEC\xe2\x80\x99s vital records\nprogram. OSS\xe2\x80\x99 Chief of Security Services informed us that his office had not yet\ndetermined what constitutes a SEC vital record and a contractor the office hired\nin June 2012, will assist them not only with COOP management, but will also\nassess the SEC\xe2\x80\x99s vital records management program. OIG determined that\nwithout defining what vital records are, the SEC cannot ensure its vital records\nare adequately protected, accessible and immediately usable.\n\nRequired Annual Review of SEC\xe2\x80\x99s Vital Records Program. OIG\xe2\x80\x99s review of\nNARA\xe2\x80\x99s 2010 Records Management Self-Assessment Report44 found that\nFederal agencies are required to perform an annual review of their vital records\nprogram,45 consistent with FCD 1, which states vital records program \xe2\x80\x9cmust\ninclude an annual review of the program to address new security issues, identify\nproblem areas, update information, and incorporate any additional vital records\ngenerated by new agency programs or functions or by organization changes to\nexisting programs or function\xe2\x80\xa6\xe2\x80\x9d46 OSS could not provide us with support to\nshow that annual reviews of SEC\xe2\x80\x99s vital records program were previously\nperformed.\n\nCompliance with NARA Guidance and Federal Regulations. When OIG\nasked OSS how it ensures the SEC complies with NARA guidance and Federal\nregulations for vital records program, we were told that based on its initial review\nof existing vital records program, \xe2\x80\x9cthe SEC might not have vital records in\naccordance with NARA guidance.\xe2\x80\x9d\n\n36 C.F.R. \xc2\xa7 1223.14 states that agencies must \xe2\x80\x9cappropriately inform all staff\nabout vital records.\xe2\x80\x9d Except for a training session SEC employees took on vital\nrecords in 2010, OSS officials were unsure how SEC previously informed its staff\n\n43\n   In the past Continuity Task Force meetings were held to inform SEC offices and divisions about COOP\nmatters and to remind them of their responsibility to update their vital records listing.\n44\n   According to the report\xe2\x80\x99s executive summary, \xe2\x80\x9cthe goal of the self-assessment is to determine whether\nfederal agencies are compliant with statutory and regulatory records management requirements.\xe2\x80\x9d NARA,\n2010 Records Management Self-Assessment Report, An Assessment of Records Management Programs in\nthe Federal Government, (Feb. 22, 2011), p.2.\n45\n   NARA, 2010 Records Management Self-Assessment Report, An Assessment of Records Management\nPrograms in the Federal Government, (Feb. 22, 2011), p.30.\n46\n   Federal Continuity Directive 1 (FCD 1), Federal Executive Branch National Continuity Program and\nRequirements, (Feb. 2008), Annex I, p. I-3.\nSEC\xe2\x80\x99s Records Management Practices                                                September 30, 2012\nReport No. 505\n\n                                              Page 27\n\x0cabout vital records. We were also informed that the SEC has not established\nretrieval procedures for vital records.\n\nOSS will work with their contractor to validate COOP and vital records\nrequirements, establish retrieval procedures for vital records and ensure the vital\nrecords and COOP program complies with NARA and Federal regulations.\n\nConclusion. SEC has not defined its vital records and does not review or\nupdate vital records annually. As a result, SEC\xe2\x80\x99s listing of vital records are not\ncomplete or current. Further, the SEC has not definitively established how it will\nprotect and retrieve vital records in emergency situations. The SEC must ensure\nit develops and fully supports a vital records management program that is\nadequately tested, protected, accessible and available to support its mission.\n\nNon-compliance with NARA\xe2\x80\x99s guidance on vital records occurred because this\nresponsibility was transferred to OSS and ORMS and the predecessor (defunct\nOffice of the Executive Director) did not retain adequate records or\ndocumentation regarding the SEC\xe2\x80\x99s vital records program. As a result, there has\nbeen confusion regarding who is responsible for reviewing NARA guidance and\nensuring the SEC\xe2\x80\x99s vital records program complies with NARA guidance. If not\ncorrected, the conditions outlined in this finding could potentially prevent the SEC\nfrom performing mission essential functions in emergency or other situations that\ncould cause disruptions in its normal operations.\n\n       Recommendation 10:\n\n       The Office of Support Operations should ensure the Office of Security\n       Services, in coordination with the Office of Records Management\n       Services, develops a vital records program that includes processes and\n       procedures to establish and maintain the Securities and Exchange\n       Commission\xe2\x80\x99s vital records in accordance with applicable Federal\n       regulations and the National Archives and Records Administration\xe2\x80\x99s\n       guidance on vital records management.\n\n       Management Comments. OSO concurred with this recommendation.\n       See Appendix VII for management\xe2\x80\x99s full comments.\n\n       OIG Analysis. We are pleased that OSO concurred with this\n       recommendation.\n\n       Recommendation 11:\n\n       The Office of Support Operations should ensure the Securities and\n       Exchange Commission\xe2\x80\x99s (SEC) procedures and processes for vital\n       records management include, but are not limited to:\n\nSEC\xe2\x80\x99s Records Management Practices                                September 30, 2012\nReport No. 505\n\n                                     Page 28\n\x0c                  1) Designating points-of-contact (POC) for offices or division that\n                     have vital records;\n                  2) Ensuring appropriate hardware, software and system\n                     documentation are adequate to operate the systems and can\n                     access SEC\xe2\x80\x99s vital records in cases of emergencies;\n                  3) Ensuring vital records information is updated throughout the\n                     year and reviewed annually; and\n                  4) Providing designated POCs with vital records requirements or\n                     new information at least once a year.\n\n         Management Comments. OSO concurred with this recommendation.\n         See Appendix VII for management\xe2\x80\x99s full comments.\n\n         OIG Analysis. We are pleased that OSO concurred with this\n         recommendation.\n\n\nFinding 9: SEC\xe2\x80\x99s Records Management\nAdministrative Regulations, Retention Schedule,\nand Handbook Are Outdated\n         SEC\xe2\x80\x99s records management administrative regulations,\n         records retention schedule, and the Vital Records Handbook\n         have not been revised in a number of years. Additionally,\n         the administrative regulations refer to sample forms and\n         processes that are no longer available or are no longer\n         followed, respectively.\n\nSpecifically, SEC\xe2\x80\x99s administrative regulations (SECR-7 series) related to records\nmanagement have not been revised dating as far back as May 1991.47 Further,\nSEC\xe2\x80\x99s records retention schedule has not been revised or updated since\nSeptember 1997. ORMS informed OIG that they are in the process of updating\nthe administrative regulations. We were also told that ORMS conducted a high\nlevel review of the regulations and did not find any grossly incorrect information.\nMoreover, regarding the SECR-7 series covering electronic records\nmanagement, OIT informed us that they are working with ORMS to update the\npolicies and procedures on electronic records.\n\n47\n   The SEC administrative regulations in the SECR-7 series that are discussed in this report are comprised\nof the following five SECRs that are related to records management: SECR 7-1, Records Management\nProgram (September 29, 1996); SECR 7-2, Records Management, Creation, Maintenance and Use of\nRecords, Including Files (August 5, 1993); SECR 7-3, Disposition of Securities and Exchange Commission\nRecords (July 21, 1993); SECR 7-6, Electronic Records (May 23, 1991); and SECR 7-7, Records\nManagement, Vital Records (July 21, 1993).\nSEC\xe2\x80\x99s Records Management Practices                                                   September 30, 2012\nReport No. 505\n\n                                                Page 29\n\x0cNARA does not provide specific guidance on when or how often Federal\nagencies should update their administrative regulations, procedures, and policies\non records management. However, according to NARA\xe2\x80\x99s 2010 Records\nManagement Self-Assessment Report \xe2\x80\x9ca third of the respondents\xe2\x80\xa6have not\nupdated their directive(s) in a number of years.\xe2\x80\x9d NARA further asserts that \xe2\x80\x9cthis\nis a deficiency in their records management programs. They are not accounting\nfor new records series, and they are not keeping up with records management\nbest practices.\xe2\x80\x9d Additionally, NARA stated that bulletins and related guidance on\nrecords management are issued on an ongoing basis. NARA believes that\nagencies need to incorporate pertinent portions of such guidance into their\ndirectives and other issuances. 48 NARA\xe2\x80\x99s 2011 Records Management Self-\nAssessment Report described updating directives continues to be a problematic\narea as it stated that there was \xe2\x80\x9clittle change in the data\xe2\x80\xa6.30 percent [of\nrespondents] said they have not updated their directive since FY 2006 or\nearlier.\xe2\x80\x9d49\n\nORMS stated that while it agrees with NARA\xe2\x80\x99s assessment, NARA should\nprovide clear guidance on how often or when directives should be updated.\n\nOIG determined that ORMS\xe2\x80\x99 outdated administrative records management\nregulations and records retention schedule have caused confusion among SEC\nstaff. One management official stated that when she reviewed the SECR 7-2,\n\xe2\x80\x9cCreation, Maintenance and Use of Records, Including Files,\xe2\x80\x9d August 5, 1993,\nlocated on the SEC\xe2\x80\x99s Intranet and clicked the hyperlinks for Figures 3-1 and 3-2,\nthe figures were not available. ORMS was unaware of this matter and said they\nwould look into it. Further, ORMS stated by the end of September 2012, the\noffice will issue updated administrative regulations on records management.\n\nSEC\xe2\x80\x99s Vital Records Handbook. OIG\xe2\x80\x99s review of SEC\xe2\x80\x99s Vital Records\nHandbook (Handbook), dated August 30, 1996, revealed that much of the\ninformation and procedures outlined in the Handbook are outdated. For example\nthe Handbook indicates that individuals responsible for their offices\xe2\x80\x99 records\nmanagement must prepare the SEC Form 2883, as of September 30 each year\nand submit it to the SEC records officer before November 1 of that year. It\nfurther explains that Form 2883 is an annual status report of the vital records\nprogram and discusses \xe2\x80\x9cthe status of each individual office or region\xe2\x80\x99s progress\nin implementing the vital records management program or if implemented, that\ninventories of records selected have been examined and are still valid.\xe2\x80\x9d\nHowever, we found that the SEC Form 2883 is no longer in use and is not\navailable in SEC\xe2\x80\x99s internal forms listing. In addition, our inquiry with ORMS\xe2\x80\x99\n\n\n48\n   NARA, 2010 Records Management Self-Assessment Report, An Assessment of Records Management\nPrograms in the Federal Government, (Feb.22, 2011), p.15.\n49\n   Id., p.8.\nSEC\xe2\x80\x99s Records Management Practices                                         September 30, 2012\nReport No. 505\n\n                                          Page 30\n\x0cformer records officer who has been with the office since 1999 revealed that to\nhis recollection, no SEC office or division has sent a Form 2883 to ORMS.\n\nOSS informed OIG they have not reviewed the Handbook. OSS\xe2\x80\x99 and ORMS\xe2\x80\x99\nmanagement indicated the Handbook will be reviewed as part of OSS\xe2\x80\x99\ncontractor\xe2\x80\x99s requirements to assess the vital records program.\n\nConclusion. To lessen confusion and ensure current and updated information is\nprovided to SEC staff, the records management SECR-7 series and the\nHandbook should either be revised or rescinded. These items contain\nterminology, processes, and assign responsibilities that are outdated and thus\nneed to be revisited. For example, terms such as automatic data processing,\nautomatic data processing equipment, electronic, information processing center\nor mainframe are outdated, but can be found in some SECR-7 series and the\nHandbook.\n\nAs discussed in the Presidential Memorandum \xe2\x80\x93 Managing Government\nRecords, (Nov. 28, 2011), current and relevant records management information\nis needed to ensure the SEC\xe2\x80\x99s records are properly managed. Outdated records\nmanagement and vital records information has resulted in SEC staff not\neffectively managing records and has resulted in staff not fully complying with\ngoverning Federal records management statutes and the requirements that are\nestablished in the SECR-7 series.\n\n       Recommendation 12:\n\n       The Office of Support Operations should ensure the Office of\n       Records Management Services (ORMS) revises the Securities and\n       Exchange Commission\xe2\x80\x99s (SEC) administrative regulations on\n       records management and determines whether it will rescind the\n       Vital Records Handbook. Once ORMS updates the SEC\n       administrative regulations it should inform and train SEC\n       employees on the updated records management administrative\n       regulations.\n\n       Management Comments. OSO concurred with this recommendation.\n       See Appendix VII for management\xe2\x80\x99s full comments.\n\n       OIG Analysis. We are pleased that OSO concurred with this\n       recommendation.\n\n\n\n\nSEC\xe2\x80\x99s Records Management Practices                              September 30, 2012\nReport No. 505\n\n                                     Page 31\n\x0c                                                                          Appendix I\n\n\n                      Federal Agencies\n             Records Management Responsibilities\n\nAgency heads have specific legal requirements for records management which\ninclude:\n\n     \xef\x82\xb7   Making and preserving records that contain adequate and proper\n         documentation of the organization\xe2\x80\x99s functions, policies, decisions,\n         procedures, and essential transactions. The records must be\n         designed to furnish the information needed to protect the legal and\n         financial rights of the government and persons directly affected by\n         the agency's activities;50\n     \xef\x82\xb7   Establishing and maintaining an active, continuous program for the\n         economical and efficient management of the agency\xe2\x80\x99s records;51\n     \xef\x82\xb7   Establishing safeguards against the removal or loss of records and\n         making requirements and penalties known to agency officials and\n         employees; and 52\n     \xef\x82\xb7   Notifying the Archivist of any actual, impending, or threatened unlawful\n         destruction of records and assisting in their recovery.53\n\n36 C.F.R. \xc2\xa7 1220.32, dictates that federal agencies must create and maintain\nauthentic, reliable, and usable records and ensure that they remain so for the\nlength of their authorized retention period. A comprehensive records\nmanagement program provides policies and procedures for ensuring that:\n\n             (a) Records documenting agency business are created or\n                 captured;\n             (b) Records are organized and maintained to facilitate\n                 their use and ensure integrity throughout their\n                 authorized retention periods;\n             (c) Records are available when needed, where needed,\n                 and in a usable format to conduct agency business;\n             (d) Legal and regulatory requirements, relevant\n                 standards, and agency policies are followed;\n             (e) Records, regardless of format, are protected in a safe\n                 and secure environment and removal or destruction is\n                 carried out only as authorized in records schedules;\n                 and\n\n\n50\n   44 U.S.C. \xc2\xa7 3101.\n51\n   44 U.S.C. \xc2\xa7 3102.\n52\n   44 U.S.C. \xc2\xa7 3105.\n53\n   44 U.S.C. \xc2\xa7 3106.\nSEC\xe2\x80\x99s Records Management Practices                                   September 30, 2012\nReport No. 505\n\n                                        Page 32\n\x0c                                                                           Appendix I\n\n\n               (f) Continuity of operations is supported by a vital\n                   records program (see part 1223 of this subchapter).54\n\nFurther, 36 C.F.R. \xc2\xa7 1220.34, discusses the following activities federal agencies\nmust perform for records management:\n\n               (a) Assign records management responsibility to a person and\n                   office with appropriate authority within the agency to\n                   coordinate and oversee implementation of the agency\n                   comprehensive records management program principles in \xc2\xa7\n                   1220.32;\n               (b) Advise NARA and agency managers of the name(s) of the\n                   individual(s) assigned operational responsibility for the\n                   agency records management program;\n               (c) Issue a directive(s) establishing program objectives,\n                   responsibilities, and authorities for the creation,\n                   maintenance, and disposition of agency records. Copies of\n                   the directive(s) (including subsequent amendments or\n                   supplements) must be disseminated throughout the agency,\n                   as appropriate, and a copy must be sent to NARA;\n               (d) Assign records management responsibilities in each\n                   program (mission) and administrative area to ensure\n                   incorporation of recordkeeping requirements and records\n                   maintenance, storage, and disposition practices into agency\n                   programs, processes, systems, and procedures;\n               (e) Integrate records management and archival requirements\n                   into the design, development, and implementation of\n                   electronic information systems as specified in \xc2\xa7 1236.12 of\n                   this subchapter;\n               (f) Provide guidance and training to all agency personnel on\n                   their records management responsibilities, including\n                   identification of Federal records, in all formats and media;\n               (g) Develop records schedules for all records created and\n                   received by the agency and obtain NARA approval of the\n                   schedules prior to implementation, in accordance with 36\n                   C.F.R. parts 1225 and 1226 of this subchapter;\n               (h) Comply with applicable policies, procedures, and standards\n                   relating to records management and recordkeeping\n                   requirements issued by the Office of Management and\n                   Budget, NARA, General Services Administration, or other\n                   agencies, as appropriate;\n               (i) Institute controls ensuring that all records, regardless of\n                   format or medium, are properly organized, classified or\n\n54\n     36 C.F.R. \xc2\xa7 1220.32.\nSEC\xe2\x80\x99s Records Management Practices                                   September 30, 2012\nReport No. 505\n\n                                         Page 33\n\x0c                                                                    Appendix I\n\n\n              indexed, and described, and made available for use by all\n              appropriate agency staff; and\n          (j) Conduct evaluations to measure the effectiveness of records\n              management programs and practices, and to ensure that\n              they comply with NARA regulations in this subchapter.\n\n\n\n\nSEC\xe2\x80\x99s Records Management Practices                             September 30, 2012\nReport No. 505\n\n                                     Page 34\n\x0c                                                                     Appendix II\n\n\n                              Abbreviations\n\n             CFR        Code of Federal Regulations\n             COOP       Continuity of Operations\n             CSC        Continuity Services Center\n             FCD        Federal Continuity Directive\n             FEMA       Federal Emergency Management\n                        Agency\n             FOIA       Freedom of Information Act\n             FRC        Federal Records Center\n             GRS        General Records Schedules\n             NARA       National Archives and Records\n                        Administration\n             NFC        Department of Agriculture\xe2\x80\x99s National\n                        Finance Center\n             OCOO       Office of the Chief Operating Officer\n             OFIS       Office of Filings and Information\n                        Services\n             OHR        Office of Human Resources\n             OIG        Office of Inspector General\n             OIT        Office of Information Technology\n             ORMS       Office of Records Management\n                        Services\n             OSO        Office of Support Operations\n             OSS        Office of Security Services\n             POC        Point-of-Contact\n             SEC or     U.S. Securities and Exchange\n             Commission Commission\n             SECR       SEC Administrative Regulation\n             SF         Standard Form\n             SOP        Standard Operating Policy\n\n\n\n\nSEC\xe2\x80\x99s Records Management Practices                              September 30, 2012\nReport No. 505\n                                     Page 35\n\x0c                                                                    Appendix III\n\n\n                      Scope and Methodology\n\nAs part of our annual audit plan the OIG conducted an audit of the SEC\xe2\x80\x99s records\nmanagement program.\n\nWe conducted this performance audit in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and\nperform the audit to obtain sufficient, appropriate evidence to provide a\nreasonable basis for our findings and conclusions based on our audit objectives.\nWe determined that the evidence obtained provides a reasonable basis for our\nfindings and conclusions based on our audit objectives.\n\nScope. The scope of our audit covered calendar years 2008 to 2010 and\nJanuary 2011 to September 2011. Our initial fieldwork was conducted from late\nOctober 2011 to February 2012. Our audit focused on SEC\xe2\x80\x99s records\nmanagement program and practices and determining whether its records\nmanagement program enables the agency to properly handle records in\naccordance with applicable federal statute and guidance. In addition, we\nreviewed records management procedures and practices that SEC offices and\ndivisions follow to assess whether they are in compliance with the SEC\xe2\x80\x99s\nadministrative regulations and federal laws on records management.\n\nDue to a staffing shortage, the audit was temporarily suspended from March to\nearly July 2012. The report\xe2\x80\x99s findings, conclusions and recommendations for this\nreport were reconfirmed from mid-July to August 2012.\n\nMethodology. To meet the objectives of assessing whether ORMS established a\nviable records management program that ensures permanent SEC records are\nappropriately maintained and preserved in accordance with applicable federal\nstatutes and regulations, we obtained and reviewed applicable records\nmanagement federal regulations and examined SEC\xe2\x80\x99s records management\nprogram and practices to determine whether the Commission complies with the\nfederal statue and regulations. OIG met with ORMS management and its staff to\ndiscuss SEC\xe2\x80\x99s records management program and compliance with federal laws\non records management. We inquired NARA officials about their assessment of\nSEC\xe2\x80\x99s records management program. Further, we reviewed NARA\xe2\x80\x99s 2010 and\n2011 records management self-assessment reports on records management\nprograms in the federal government. The self-assessment reports scored federal\nagencies on their compliance with federal statue, including NARA guidance, on\nrecords management. We reviewed the results of SEC\xe2\x80\x99s records management\nprogram that were included in the self-assessment reports. We also met with\nrecords management POCs as well as other management officials who are\nresponsible for records management program in SEC offices and divisions to\n\nSEC\xe2\x80\x99s Records Management Practices                              September 30, 2012\nReport No. 505\n                                     Page 36\n\x0c                                                                      Appendix III\n\n\nassess whether their practices and procedures complied with federal statute on\nrecords management. Also, we contacted three federal agencies to learn about\ntheir records management program and to determine how they comply with\nrecords management federal regulations. We also developed and administered\na survey to directors, business managers, administrative officers in SEC offices\nand divisions regarding their records management program and knowledge\nabout federal statue on records management. OIG reviewed and analyzed the\nresults of the survey.\n\nTo achieve the objective of examining whether ORMS adheres to applicable\nfederal statutes and regulations regarding the retention, disposal, transfer, and\nrecovery of SEC records, we reviewed a sample of records requests that were\nprocessed by ORMS. We examined SEC offices and divisions records\nmanagement practices for retaining and disposing of records and their process\nfor reviewing their records retention schedule. We also inquired ORMS\nmanagement, its staff, and SEC offices and divisions about the procedures in\nplace to ensure SEC complies with federal statutes and regulations regarding the\nretention, disposal, transfer and recovery of SEC records. Further, we also\nexamined SEC\xe2\x80\x99s records management practices to determine if they are in\ncompliance with SEC\xe2\x80\x99s administrative regulations on records management.\nSome of the questions in the survey we administered to directors, business\nmanagers, and administrative officers addressed matters related to their handling\nof records they created or received from external sources.\n\nFinally, we identified areas which improvement could be made, documented the\nresults of our audit work and facilitated implementation of recommendations\nnoted in the report.\n\nInternal Controls. For this audit, we based our assessment of ORMS\xe2\x80\x99 internal\ncontrols that were significant to the audit objectives on the Committee of\nSponsoring Organizations of the Treadway Commission framework, such as\ncontrol environment, control activities, information and communication, and\nmonitoring. Among the internal controls that we assessed were ORMS\xe2\x80\x99 controls\nrelated to processing records requests, management\xe2\x80\x99s monitoring process over\nrecords requests that could not be processed within 20 days, and ORMS\xe2\x80\x99 policies\nand procedures to meet its objectives.\n\nJudgmental and Statistical Sampling. ORMS provided us with a list of all\nrecords requests it received from January 1, 2008 to September 30, 2011.\nORMS\xe2\x80\x99 universe of records requests totaled 8,015. We used the EZ Quant\nStatistical Analysis Audit tool to generate a statistical sample of 89 records\nrequests. The sample was designed to project rates of occurrence with 90\npercent confidence that the point estimate is within \xc2\xb1 5 percent of the audit\nuniverse.\n\n\nSEC\xe2\x80\x99s Records Management Practices                                September 30, 2012\nReport No. 505\n                                     Page 37\n\x0c                                                                      Appendix III\n\n\nWe also judgmentally selected additional 16 records requests from the list to\nensure that our sample included the various types of records requests such as\nrecords requested by external parties. Because we used both judgmental and\nstatistical sampling techniques, we did not try to project the results of records\nrequests reviewed in our sample to the entire population.\n\nPrior Audit Coverage. In 1997, the OIG performed an audit of the SEC\xe2\x80\x99s\nautomation of records management to determine if the Commission has\nestablished sufficient policies and procedures for electronic records and to\nidentify possible improvements to electronic records management.\n\n   \xef\x82\xb7   Automated Records Management, Report No. 262, September 29,\n       1997.\n\nThe report included six recommendations. Three recommendations were issued\nto the former Office of Filings and Information Services (OFIS) which included\nrecords management function and the remaining three recommendations were\nissued to OIT. Both OFIS and OIT concurred with the recommendations that\nwere issued to them. For the recommendations that were issued to OFIS, OIG\nasked ORMS management on the status of the recommendations. ORMS\nmanagement stated that since ORMS Archivist\xe2\x80\x99s arrival at the SEC, they enacted\nprocesses that were responsive to all of the recommendations directed to OFIS.\nBased on supporting documents ORMS management provided, OIG determined\nthat the recommendations issued to OFIS were addressed and closed. Further,\nOIG determined that OIT addressed the recommendations issued to them, and\nthese recommendations were also closed.\n\n\n\n\nSEC\xe2\x80\x99s Records Management Practices                                September 30, 2012\nReport No. 505\n                                     Page 38\n\x0c                                                                        Appendix IV\n\n\n                                     Criteria\n\n36 C.F.R. \xc2\xa7 1220 Federal Records: General, Subpart A, General Provisions\nand Subpart B, Agency Records Management Program Responsibilities.\nDiscusses, among other things, who is responsible for records management,\nNARA\xe2\x80\x99s responsibilities for records management such as issuing regulations on\nrecords management, establishing standards for the retention of records having\ncontinuing value, etc., and federal agencies\xe2\x80\x99 records management\nresponsibilities and what federal agencies must do to carry out their records\nmanagement responsibilities.\n\n44 U.S.C. \xc2\xa7 2901 - Definitions. Provides definitions for terms used for records\nmanagement, including records disposition.\n\n44 U.S.C. \xc2\xa7 31- Records Management by Federal Agencies. States general\nduties of records management by agency heads, establishment of program of\nrecords management, and transfer of records to records center, etc.\n\n44 U.S.C. \xc2\xa7 33 - Disposal of Records. Discusses, among other things,\ndefinition of records, regulations covering lists of records for disposal and\nprocedure for disposal.\n\nFederal Continuity Directive 1 (FCD 1), Federal Executive Branch National\nContinuity Program and Requirements. Discusses a requirement for federal\nagencies to have a vital records program that must include an annual review of\nthe program to address new security issues, identify problem areas, update\ninformation, and incorporate any additional vital records generated by new\nagency programs or functions or by organization changes to existing programs or\nfunction.\n\nSECR 7-1, SEC Administrative Regulation, Records Management Program\n(September 29, 1996). Lists SEC\xe2\x80\x99s records management program requirements\nand objectives and assigns responsibilities for records management.\n\nSECR 7-2, SEC Administrative Regulation, Records Management, Creation,\nMaintenance and Use of Records, Including Files (August 5, 1993).\nDiscusses SEC\xe2\x80\x99s procedures and policies for records management.\n\nSECR7-3, SEC Administrative Regulation, Disposition of Securities and\nExchange Commission Records (July 21, 1993). Prescribes policies,\nresponsibilities, program objectives, and procedures for disposing, retiring or\ntransferring records. Applies to personnel who create or accumulate records\nagency-wide.\n\n\nSEC\xe2\x80\x99s Records Management Practices                                 September 30, 2012\nReport No. 505\n                                      Page 39\n\x0c                                                                      Appendix IV\n\n\nSECR7-6, SEC Administrative Regulation, Electronic Records\n(May 23, 1991). Prescribes policies, responsibilities, and procedures for\nestablishing, testing, and implementing electronic recordkeeping as alternatives\nto or in conjunction with paper records subject to SECR 7-2. Provides guidance\nto ensure permanent preservation of archival information which is in machine-\nreadable form.\n\nSECR7-7, SEC Administrative Regulation, Records Management, Vital\nRecords (July 21, 1993). Establishes SEC\xe2\x80\x99s vital records program and provides\nguidance and instructions for implementing the program. Applies to agency-wide\nstaff and activities.\n\nORMS\xe2\x80\x99 Standard Operating Policy. The SOP identifies ORMS\xe2\x80\x99 policies and\nprocedures for processing records requests and it identifies the offices\xe2\x80\x99\nresponsibilities.\n\nOMB Circular A-123, Management\xe2\x80\x99s Responsibility for Internal Control,\n(December 21, 2004) (Revised). Establishes that management has a\nfundamental responsibility to develop and maintain effective internal control.\n\n\n\n\nSEC\xe2\x80\x99s Records Management Practices                                September 30, 2012\nReport No. 505\n                                     Page 40\n\x0c                                                                      Appendix V\n\n\n                    List of Recommendations\n\nRecommendation 1:\n\nThe Office of Support Operations should ensure the Office of Records\nManagement Services (ORMS) periodically conducts agency-wide staff\nassistance visits of the Securities and Exchange Commission offices\xe2\x80\x99 and\ndivisions\xe2\x80\x99 records management programs in accordance with SECR 7-1,\nSecurities and Exchange Commission\xe2\x80\x99s Records Management Program. To\nassist in this process, ORMS should develop a plan that identifies the timeline for\nthe conduct and scope of the staff assistance visits.\n\nRecommendation 2:\n\nThe Office of Support Operations should ensure the Office of Records\nManagement Services (ORMS) develops a records management training\nprogram that covers training sessions for all Securities and Exchange\nCommission employees. ORMS should determine the audience, scope,\nmaterial, and training schedule. Training factors ORMS should consider include\ndefining records, how to treat records in accordance with Federal regulations and\nrecords retention schedule, records management responsibilities for employees\nand designated points-of-contact.\n\nRecommendation 3:\n\nThe Office of Support Operations should ensure the Office of Records\nManagement Services (ORMS) develops internal controls that assure ORMS\nstaff are provided oversight and adhere to the office\xe2\x80\x99s standard operating policy.\n\nRecommendation 4:\n\nThe Office of Support Operations should ensure the Office of Records\nManagement Services (ORMS) works with the Securities and Exchange\nCommission (SEC) offices and divisions to ensure they all have current records\nretention schedules that encompass the office\xe2\x80\x99s or division\xe2\x80\x99s records.\nAccordingly, ORMS should determine whether it should update the SEC\xe2\x80\x99s\ncomprehensive records retention schedule to ensure it is reflective of current\nSEC offices\xe2\x80\x99 and divisions\xe2\x80\x99 records.\n\n\n\n\nSEC\xe2\x80\x99s Records Management Practices                                September 30, 2012\nReport No. 505\n                                     Page 41\n\x0c                                                                     Appendix V\n\n\nRecommendation 5:\n\nThe Office of Support Operations should ensure the Office of Records\nManagement Services establishes records management procedures that enable\nthe offices and divisions to properly manage their records in accordance with\napplicable federal regulations and Securities and Exchange Commission\xe2\x80\x99s\nadministrative regulations.\n\nRecommendation 6:\n\nThe Office of Support Operations should ensure the Office of Records\nManagement Services establishes a definitive plan and milestones to review the\nremaining backlog of boxes that are being maintained at the Federal Records\nCenter and ensures proper disposition of the records that are contained in the\nboxes.\n\nRecommendation 7:\n\nThe Office of Support Operations should ensure the Office of Records\nManagement Services provides guidance to records management points-of-\ncontact and requires, at least annually, they determine whether there are any\nrecords requiring disposal for their individual offices and divisions.\n\nRecommendation 8:\n\nThe Office of Support Operations should ensure the Office of Records\nManagement Services (ORMS) develops an action plan to address the 10-year\nbacklog of records that the Federal Records Center (FRC) identified as eligible\nfor destruction. In developing an action plan, ORMS should determine a timeline\nto address the backlog of records, a timeline to conduct a full inventory of the\nSecurity and Exchange Commission\xe2\x80\x99s records, and how ORMS will address the\nindexing system for archived records.\n\nRecommendation 9:\n\nThe Office of Support Operations should ensure the Office of Records\nManagement Services (ORMS) issues a directive, requiring all Securities and\nExchange Commission offices and divisions to designate a point-of-contact\n(POC) for records management matters and inform ORMS of their designated\nPOC. ORMS should maintain a list of POCs that is verified annually.\n\n\n\n\nSEC\xe2\x80\x99s Records Management Practices                              September 30, 2012\nReport No. 505\n                                     Page 42\n\x0c                                                                    Appendix V\n\n\nRecommendation 10:\n\nThe Office of Support Operations should ensure the Office of Security Services,\nin coordination with the Office of Records Management Services, develops a vital\nrecords program that includes processes and procedures to establish and\nmaintain the Securities and Exchange Commission\xe2\x80\x99s vital records in accordance\nwith applicable Federal regulations and the National Archives and Records\nAdministration\xe2\x80\x99s guidance on vital records management.\n\nRecommendation 11:\n\nThe Office of Support Operations should ensure the Securities and Exchange\nCommission\xe2\x80\x99s (SEC) procedures and processes for vital records management\ninclude, but are not limited to:\n\n       1) Designating points-of-contact (POC) for offices or division that have\n          vital records;\n       2) Ensuring appropriate hardware, software and system documentation\n          are adequate to operate the systems and can access SEC\xe2\x80\x99s vital\n          records in cases of emergencies;\n       3) Ensuring vital records information is updated throughout the year and\n          reviewed annually; and\n       4) Providing designated POCs with vital records requirements or new\n          information at least once a year.\n\nRecommendation 12:\n\nThe Office of Support Operations should ensure the Office of Records\nManagement Services (ORMS) revises the Securities and Exchange\nCommission\xe2\x80\x99s (SEC) administrative regulations on records management\nand determines whether it will rescind the Vital Records Handbook. Once\nORMS updates the SEC administrative regulations it should inform and\ntrain SEC employees on the updated records management administrative\nregulations.\n\n\n\n\nSEC\xe2\x80\x99s Records Management Practices                              September 30, 2012\nReport No. 505\n                                     Page 43\n\x0c                                                                       Appendix VI\n\n\n                                 Definitions\n\n1. Disposing of Records - 44 U.S.C. \xc2\xa7 2901, defines disposing of records as\n   any activity related to: (a) the destruction of temporary records that are no\n   longer necessary for the conduct of business; (b) transferring records to the\n   Federal agency storage facility such as FRC or a third-party storage; (c)\n   transferring records determined to have sufficient historical or other value\n   warranting continued preservation to NARA; or (d) the transfer of records\n   from one Federal agency to any other Federal agency.\n\n2. General Records Schedule - According to NARA, general records schedule\n   is issued by the Archivist of the United States to provide disposition\n   authorization for records common to several or all agencies of the Federal\n   Government. They include records relating to civilian personnel, fiscal\n   accounting, procurement, communications, printing, and other common\n   functions, and certain non-textual records. They also include records relating\n   to temporary commissions, boards, councils and committees. Because these\n   schedules are designed to cover records common to several agencies, many\n   record descriptions are general.\n\n3. Records - 44 U.S.C. \xc2\xa7 3301 defines records as all books, papers, maps,\n   photographs, machine readable materials, or other documentary materials,\n   regardless of physical form or characteristics, made or received by an agency\n   of the United States government under federal law or in connection with the\n   transaction of public business and preserved or appropriate for preservation\n   by that agency or its legitimate successor as evidence of the organization,\n   functions, policies, decisions, procedures, operations, or other activities of the\n   government or because of the informational value of data in them.\n\n4. Records Retention Schedule - 36 C.F.R. \xc2\xa7 1220.18 defines records\n   schedule as any of the following:\n\n       (1) SF 115, Request for Records Disposition Authority, which were\n           approved by NARA to authorize the disposition of Federal records;\n       (2) GRS issued by NARA; or\n       (3) A published agency manual or directive containing the records\n           descriptions and disposition instructions approved by NARA on one or\n           more SF 115s or issued by NARA in the GRS.\n\n5. Scheduled Records - Federal records whose final disposition has been\n   approved by NARA on a SF 115, Request for Records Disposition Authority,\n   GRS, or in a federal agency\xe2\x80\x99s manual or directive containing the records\n   descriptions and disposition instructions approved by NARA.\n\nSEC\xe2\x80\x99s Records Management Practices                                 September 30, 2012\nReport No. 505\n                                      Page 44\n\x0c                                                                      Appendix VI\n\n\n6. Temporary Records - 36 C.F.R. \xc2\xa7 1220.18 defines temporary records as any\n   Federal record that has been determined by the Archivist of the United States\n   to have insufficient value (on the basis of current standards) to warrant its\n   preservation by [NARA]. This determination may take the form of: (1) records\n   designated as disposable in an agency records disposition schedule\n   approved by NARA (SF 115, Request for Records Disposition Authority); or\n   (2) records designated as disposable in GRS.\n\n7. Unscheduled Records - Federal records whose final disposition has not\n   been approved by NARA on a SF 115, Request for Records Disposition\n   Authority or records designated as disposable in GRS. Such records must be\n   treated as permanent until a final disposition is approved.\n\n8. Vital Records - According to NARA, vital records are \xe2\x80\x9cessential agency\n   records that are needed to meet operational responsibilities under national\n   security emergencies or other emergency conditions (emergency operating\n   records) or to protect the legal and financial rights of the Government and\n   those affected by Government activities (legal and financial rights records).\xe2\x80\x9d\n   Additionally NARA defines vital records program as \xe2\x80\x9cthe policies, plans, and\n   procedures developed and implemented and the resources needed to\n   identify, use, and protect the essential records needed to meet operational\n   responsibilities under national security emergencies or other emergency\n   conditions or to protect the Government\xe2\x80\x99s rights or those of its citizens.\xe2\x80\x9d\n\n\n\n\nSEC\xe2\x80\x99s Records Management Practices                               September 30, 2012\nReport No. 505\n                                     Page 45\n\x0c                                                  Appendix VII\n\n\n                      Management Comments\n\n\n\n\nSEC\xe2\x80\x99s Records Management Practices             September 30, 2012\nReport No. 505\n                                     Page 46\n\x0c                                                  Appendix VII\n\n\n\n\nSEC\xe2\x80\x99s Records Management Practices             September 30, 2012\nReport No. 505\n                                     Page 47\n\x0c                                                  Appendix VII\n\n\n\n\nSEC\xe2\x80\x99s Records Management Practices             September 30, 2012\nReport No. 505\n                                     Page 48\n\x0c                                                  Appendix VII\n\n\n\n\nSEC\xe2\x80\x99s Records Management Practices             September 30, 2012\nReport No. 505\n                                     Page 49\n\x0c                                                                    Appendix VIII\n\n\n    OIG\xe2\x80\x99s Response to Management\xe2\x80\x99s Comments\n\nWe are pleased OSO concurred with all 12 recommendations in our report and\nare encouraged that the office will take the steps needed to fully implement the\nrecommendations. We believe that the full implementation of these\nrecommendations will serve to strengthen the SEC\xe2\x80\x99s records management\npractices.\n\nHowever, OIG disagrees with certain statements in OSO\xe2\x80\x99s overall response to\nthis report. In particular, OSO\xe2\x80\x99s statement that the scope of our audit and\nrecommendations highlight issues that existed prior to 2008 is not factual. The\nscope of our audit was from January 1, 2008 to September 30, 2011, and our\naudit results are based on appropriate, factual evidence and OIG observations\nthat were made during the scope of the audit. The administrative regulations that\nOIG applied to some of our findings and recommendations are based on the five\nSECRs that are specific to records management, and were issued by the SEC\nfrom May 1991 to September 1996. Consequently, OIG recommended and OSO\nagreed to revise these SECRs.\n\nFurther, while OSO\xe2\x80\x99s statement the office conducted 383 records management\nrelated meetings encompassing staff of 5 SEC divisions and 17 offices may be\ntrue, OSO did not provide OIG with any evidence the office conducted staff\nassistance visits from 2008 to 2011 of the SEC\xe2\x80\x99s 36 offices, divisions, and\nregional offices, in accordance with SECR 7-1, Securities and Exchange\nCommission\xe2\x80\x99s Records Management Program, which states the records officer\nshould schedule and make staff assistance visits to each SEC office of record at\nleast every 18 months.\n\nAdditionally, though ORMS provided records management training to a large\nnumber of SEC staff, it has not provided records management training to all SEC\nstaff in compliance with 36 C.F.R. \xc2\xa7 1220.34(f), which indicates Federal agencies\nmust \xe2\x80\x9cprovide guidance and training to all agency personnel on their records\nmanagement responsibilities, including the identification of Federal records\xe2\x80\xa6\xe2\x80\x9d\n\n\n\n\nSEC\xe2\x80\x99s Records Management Practices                               September 30, 2012\nReport No. 505\n                                     Page 50\n\x0c                     Audit Requests and Ideas\n\nThe Office of Inspector General welcomes your input. If you would like to\nrequest an audit in the future or have an audit idea, please contact us at:\n\nU.S. Securities and Exchange Commission\nOffice of Inspector General\nAttn: Assistant Inspector General for Audits (Audit Request/Idea)\n100 F Street, N.E.\nWashington D.C. 20549-2736\n\nTel. #: 202-551-6061\nFax #: 202-772-9265\nEmail: oig@sec.gov\n\n\n\n\n      Hotline\n      To report fraud, waste, abuse, or mismanagement at the SEC,\n      contact the Office of Inspector General at:\n\n              Phone: 877.442.0854\n\n              Web-based Hotline Complaint Form:\n              www.reportlineweb.com/sec_oig\n\x0c"